After the United States Court of Appeals for the Third Circuit recently affirmed the denial of Wyndham Hotel’s motion to dismiss claims that it allegedly violated Section 5 of the FTC Act (as reported in Issue No. 197 of The GPMemorandum), a federal court in New Jersey entered a stipulated order for an injunction resolving the case. FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887 (D.N.J. Dec. 11, 2015). The complaint filed by the FTC alleged that Wyndham engaged in unfair practices by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information. Under the stipulated order, Wyndham agreed—at least as to its company-owned hotels—to establish and maintain a comprehensive information security program to protect the security and confidentiality of consumer credit and debit card data for twenty years. This program must include the designation of employees to coordinate and be accountable for the program, the identification of potential internal and external risks to cardholder data and the development of safeguards to manage those risks, the development of a process to identify vendors and service providers who can adequately protect customer data, and the evaluation and adjustment of corporate-owned hotels’ information security programs where appropriate.
Further, Wyndham must obtain an annual assessment of its corporate-owned hotels’ compliance with these requirements. If there is a data breach involving more than 10,000 card numbers, further assessment of the hotels at issue will be required. Wyndham must also submit compliance reports to the FTC one year after the entry of the order and within two weeks of any change to its corporate structure or relevant points of contact, and must engage in ongoing compliance monitoring by the agency. Under this provision, the FTC may seek further discovery without leave of the court.
It is important to note, however, that the stipulated order specifically does not apply to Wyndham’s “branded” (i.e., franchised) hotels.