I saw that Wyndham Hotels recently settled a lawsuit with the Federal Trade Commission after the company experienced...
repeated data breaches in 2008 and 2009. Wyndham agreed to establish an information security program and subject itself to annual audits, but the company escaped paying any fines. That seems like a good deal for Wyndham, but what precedent does this FTC lawsuit settlement set for enterprise data breaches? Should organizations worry about the FTC regulating cybersecurity programs and potentially bringing lawsuits against them in the event of a breach?
From a practical perspective, you're correct that Wyndham essentially got off scot-free in this case. While the FTC lawsuit was over Wyndham's failure to protect payment card information, the settlement doesn't impose any new obligations on the company. In the settlement, Wyndham agreed to "establish a comprehensive information security program designed to protect cardholder data -- including payment card numbers, names and expiration dates." If that sounds familiar, it should. The Payment Card Industry Security Standards Council -- or PCI DSS -- has required this type of program for over a decade. The terms of the FTC lawsuit settlement require that Wyndham comply with a regulation with which it has already agreed to comply. Not a bad deal for them.
Legal observers, however, note that this FTC lawsuit may have broader-reaching implications for data privacy law. Wyndham failed to convince the court that the FTC did not have the jurisdiction to regulate its security program. This leaves the door open for potential FTC regulation of cybersecurity and leaves it able to file lawsuits against other organizations failing to protect private information.
The bottom line? No matter what your line of business, keep your security and compliance ducks in a row. If your organization fails to protect sensitive personal information, you'll find it in the crosshairs of government regulators.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
What the latest update to PCI DSS means for the compliance standard
Learn more about the alarming trend in data breach lawsuits
Discover the latest developments in cybersecurity vendor liability
Dig Deeper on Information security laws, investigations and ethics
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.