Let’s connect!

FTC v. Wyndham: A Cybersecurity Wake-Up for the Hospitality Industry

Jack Pulvirenti, CPA
06.07.2016 | Client Alert
Cybersecurity is a critical issue for many businesses, but the hospitality industry is particularly vulnerable to hackers and other cybercriminals. There are many reasons for this unfortunate reality, including constantly rotating guests, high staff turnover, and complex reservation systems integrated with third-party applications across multiple channels. Also, hotels tend to store customer credit card data in several places, including reservation systems as well as point-of-sale (POS) systems at restaurants, bars, and gift shops. Often, POS systems are shared among hotel chain members, increasing their exposure to cybercrime.

In addition to a damaged reputation, hotels that experience data breaches may have to deal with costly class-action suits by credit card customers and, increasingly, enforcement actions by state and federal government agencies. In recent years, the Federal Trade Commission (FTC) has assumed the mantle of federal cybersecurity regulator, a role that was endorsed by the U.S. Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corporation.

Hotel owners should view the Wyndham decision as a wake-up call to review and update their information security programs. By taking proactive steps to protect customer information, hotels can reduce the risk of a data breach and avoid costly enforcement actions.

Does Your Data Security Live Up to Your Privacy Policy?

In Wyndham, the FTC sued the global hotel operator for failure to maintain “reasonable and appropriate” data security measures. The company had experienced three data breaches in 2008 and 2009 that compromised more than 600,000 credit card records and led to more than $10 million in fraudulent charges.

The FTC claimed jurisdiction over cybersecurity based on its broad statutory authority to regulate “unfair or deceptive acts or practices.” The FTC argued, and the Third Circuit agreed, that Wyndham’s website privacy policy overstated its data security and, therefore, was unfair or deceptive. Wyndham’s data security practices fell short in several ways. Among other things, the company:

  • Stored credit card information in clear, readable text.
  • Allowed employees to use easily guessed passwords.
  • Failed to use readily available security measures, such as firewalls.
  • Allowed hotel property management systems to connect to its corporate network without taking appropriate cybersecurity precautions, such as disabling default user IDs and passwords or maintaining an adequate inventory of network-connected computers.
  • Failed to adequately restrict vendor access to its network and the servers of Wyndham-branded hotels.
  • Failed to employ intrusion detection and prevention systems, conduct security investigations, or follow proper incident response procedures. For example, the company didn’t monitor its network for malware used in previous intrusions.

After the Third Circuit recognized the FTC’s authority, the parties settled and agreed to a Consent Order. The order did not impose any monetary penalties — the FTC has very limited authority to seek penalties. But it required Wyndham to implement a 20-year comprehensive information security program that’s “reasonably designed to protect the security, confidentiality, and integrity” of customers’ credit card data.

As part of the information security program, Wyndham must 1) conduct a risk assessment, 2) implement and test reasonable safeguards that control identified risks, 3) take reasonable steps to ensure that service providers maintain appropriate safeguards for customer information, and 4) designate one or more employees to be accountable for the program. Security measures must comply with the Payment Card Industry Data Security Standard (PCI DSS) or a comparable, FTC-approved standard.

In addition, Wyndham must undergo annual audits of its security practices and obtain an independent assessment and incident report within 180 days after any data breach that affects more than 10,000 credit card numbers. If Wyndham makes any significant changes to its information security practices, it must obtain an independent assessor’s certification that the company continues to comply with approved standards.

What’s Your Next Step?

The Wyndham decision and Consent Order provide welcome guidance on the types of cybersecurity measures the FTC is seeking. Another valuable resource is the FTC’s publication, Start With Security, A Guide for Business, Lessons Learned From FTC Cases, available at www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business.

If you haven’t evaluated your information security practices recently, now’s a good time to conduct a risk assessment. According to the FTC, hotels should consider, at a minimum: Employee training and management; information systems, including network and software design, information processing, storage, transmission, and disposal; risks associated with branded hotels; and prevention, detection, and response to intrusions.

By ensuring that your practices meet with FTC standards, you can minimize the risks of a data breach and avoid the time and expense of an FTC enforcement action.