FTC Cybersecurity Authority Confirmed In Wyndam Settlement

Without admitting the allegations, the Wyndam hotel group of companies has settled Federal Trade Commission charges stemming from exposure of customer credit card data. The data-loss was the result of three separate hacks of hotel  computers, between April 2008 and January 2010. The proposed stipulated court order imposes numerous conditions on Wyndam, including that it establish a comprehensive information security program with annual audits. Wyndam had tried to argue that the FTC exceeded it authority by couching the breach as “unfair” to consumers and thus falling under the unfairness prong of the Federal Trade Commission Act, but that argument was undercut by an appeals court decision last year in another matter. However, current case law in this area isn’t all going the way of the FTC. This post from Alston & Bird notes that another recent case has established some sharp limits.