Problem
Wyndham Worldwide Corporation, which owns a global chain of hotels and resorts, suffered three data breaches in 2008 and 2009. Those breaches compromised the credit card information of more than 619,000 Wyndham customers.
The data breaches took place when hackers invaded the network of one of Wyndham's subsidiary companies. The entire Wyndham Hotel franchise used a common database system to collect customer information. In the first breach, hackers were able to gain access to Wyndham's corporate network via the subsidiary. In that breach, they installed memory-scraping malware on the Wyndham network servers and accessed consumer files in the common data database system. In the attack, more than 500,000 credit card numbers were exported to a Russian website.
The second breach took place almost a year later and used many of the same techniques used in the first breach. The hackers again installed memory scraping malware. They also reconfigured software to obtain clear text files of credit card numbers for Wyndham guests. The third breach took place about six months after the second breach, again using many of the same techniques as the first breach.
The Federal Trade Commission (FTC) investigated Wyndham's security practices following the breach. The FTC argued that Wyndham had a privacy policy that said that it took reasonable security measures to protect customer information. The FTC said that because Wyndham had been breached, these data security practices were deceptive and unfair.
In its complaint, the FTC alleged that much of the customer informat.
Wyndham settled its case with the FTC in 2015. As part of the settlement agreement, Wyndham agreed to.
1) Establish a comprehensive information security program designed to protect credit cardholder data.
2) Conduct annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard.
Note that the settlement order with Wyndham essentially requires the hotel company to become PCI DSS compliant. The FTC did not levy any fines against Wyndham. You can read the settlement agreement and related materials.
From a legal standpoint, the Wyndham case is notable because the FTC used it to charge companies with deceptive and unfair trade practices for not having sufficient data security safeguards. Wyndham Hotels said that it protected consumer information. Wyndham was also required to be compliant with PCI DSS beginning in 2006. Some elements of the Wyndham case point to Wyndham's not being compliant with PCI DSS at the time of the breaches in 2008 and 2009.
• Discuss whether the FTC would have pursued a case against Wyndham if it had been compliant with the PCI DSS regulations. Why or why not?