When hackers broke into the network of a Wyndham Worldwide franchisee three times in 2008 and 2009, they allegedly took advantage of lax security on the hotel giant’s corporate network to gain access to dozens of other Wyndham sites. Ultimately, the data of more than 600,000 cardholders was compromised. Now that mess has led to a settlement between the FTC and Wyndham that highlights every business’s legal responsibility for customer data security.
Every business – big, and small.
The Federal Trade Commission sued Wyndham and its subsidiaries over the breaches, leading to an important ruling earlier in the proceedings that the FTC does have the authority to protect consumers by enforcing reasonable data security by businesses. Now, in the settlement announced on December 9, 2015, the hotel giant faces oversight of its data security practices for the next twenty years and is specifically required to show “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of Cardholder Data that it collects.” It also needs to report on its compliance with the Payment Card Industry Data Security Standard (PCI DSS.)
So what does Wyndham—and the 50+ other data security actions brought by the FTC—mean to you and your business?
Consumer advocates, data security watchers and the business community all point to FTC v Wyndham as a milestone in establishing the responsibility of businesses to protect consumer data. Quite simply, if you collect sensitive customer data—and especially customer payment data—you have a responsibility to take reasonable measures to protect it. And that’s a more comprehensive responsibility than just outsourcing the technical parts of data security and making sure your e-commerce provider uses https protocol.
Thankfully, the FTC is more than just an enforcer: The FTC offers free resources for businesses to “start with security.” There you’ll find guidance to help you ensure your everyday operations are safeguarding consumer data. (The FTC website is a helpful, well-organized, plain-language resource on many topics.)
Check in with your lawyer to review your business’s data security responsibilities.
Your lawyer can help make sure your business lives up to its data security responsibilities too.
For example, you need to take reasonable steps to ensure your customers’ data is protected at every point in your process. This means people you work with, such as vendors, contractors, strategic partners and franchisees, must protect your customer data on your behalf. Your agreements with these parties need to make their responsibilities clear and can even specify required standards or procedures.
You’ll also want to think about your internal Standard Operating Procedures regarding customer data: do your employees know what to do and do they do it?
And you also need to review the promises you make to your customers about data security. For most businesses, those promises are made in a privacy policy and in their website’s terms and conditions. In fact, Wyndham’s privacy policies were part of what got it into trouble. The court found disparity between what Wyndham promised customers it did to protect their data and what it actually did. So don’t just do a cut-and-paste job to put T’s and C’s at the bottom of your website. Your lawyer can help align those agreements with your practices and the FTC standard.
Of course, there may be other relevant issues specific to your business too, issues your lawyer can help you identify.
Hackers don’t just target big businesses: they know smaller businesses are often the most vulnerable and, as seen in the Wyndham case, often the easiest way to get in and link to a larger system. Take some time to review what needs to be done to reasonably protect your customers from their data being compromised, as well as to protect your business from the costs, customer ill will, and potential enforcement action associated with a breach.