igor - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How will the FTC lawsuit against Wyndham affect enterprises?

A recent FTC lawsuit against Wyndham Hotels highlighted concerns for enterprises that have suffered a data breach. Expert Mike Chapple discusses the case and its takeaways.

I saw that Wyndham Hotels recently settled a lawsuit with the Federal Trade Commission after the company experienced repeated data breaches in 2008 and 2009. Wyndham agreed to establish an information security program and subject itself to annual audits, but the company escaped paying any fines. That seems like a good deal for Wyndham, but what precedent does this FTC lawsuit settlement set for enterprise data breaches? Should organizations worry about the FTC regulating cybersecurity programs and potentially bringing lawsuits against them in the event of a breach?

From a practical perspective, you're correct that Wyndham essentially got off scot-free in this case. While the FTC lawsuit was over Wyndham's failure to protect payment card information, the settlement doesn't impose any new obligations on the company. In the settlement, Wyndham agreed to "establish a comprehensive information security program designed to protect cardholder data -- including payment card numbers, names and expiration dates." If that sounds familiar, it should. The Payment Card Industry Security Standards Council -- or PCI DSS -- has required this type of program for over a decade. The terms of the FTC lawsuit settlement require that Wyndham comply with a regulation with which it has already agreed to comply. Not a bad deal for them.

Legal observers, however, note that this FTC lawsuit may have broader-reaching implications for data privacy law. Wyndham failed to convince the court that the FTC did not have the jurisdiction to regulate its security program. This leaves the door open for potential FTC regulation of cybersecurity and leaves it able to file lawsuits against other organizations failing to protect private information.

The bottom line? No matter what your line of business, keep your security and compliance ducks in a row. If your organization fails to protect sensitive personal information, you'll find it in the crosshairs of government regulators.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

What the latest update to PCI DSS means for the compliance standard

Learn more about the alarming trend in data breach lawsuits

Discover the latest developments in cybersecurity vendor liability

This was last published in May 2016

Dig Deeper on Information security laws, investigations and ethics