FTC Files Data Security Complaint against Wyndham


FTC Files Data Security Complaint against Wyndham

On June 26, 2012, the FTC filed a complaint against Wyndham Hotels for alleged information security failures that compromised Wyndham’s property management system servers, resulting in the exposure and unauthorized use of thousands of customer payment card accounts. The FTC alleges that these failures led to more than $10 million in losses and has asked for an injunction to prevent future violations of the FTC Act, as well as monetary relief to redress injury to consumers.

In its privacy policy, Wyndham promised to safeguard customer personal information by using “standard industry practices” and taking “commercially reasonable efforts” to create and maintain fire walls and other appropriate safeguards to protect customer information. The FTC alleges that Wyndham violated its privacy policy in a number of ways including (1) failing to use readily available security measures, (2) failing to implement adequate information security policies, (3) failing to remedy known security vulnerabilities, (4) failing to employ reasonable measures to detect and prevent unauthorized access to its computer network, and (5) failing to follow proper incident response procedures. More details are included on pages 10-12 of the complaint.

The case is pending in a federal court in Arizona, and litigation in this area is escalating. This is a timely reminder of the need for businesses to maintain and implement sound data security practices.

For more information on data privacy and security, please contact:

Ed Lavergne
Washington, DC