FTC vs. Wyndham Epilogue: Settling for Less

Don Miller

MFT Nation promised to provide updates on developments in the FTC v. Wyndham Worldwide Corp. data security case.  True to our word, we want to let you know the case has settled.  You may recall that MFT Nation described the FTC’s complaint as a “case study for what not-to-do in the rapidly changing world of data security,” because Wyndham allegedly did not make use of “reasonable” data security measures such as encryption and firewalls.

We decided to follow the case hoping that the parties’ divergent positions would produce a litigation process conducive to further defining what constitutes “reasonable” data security standards.  For example, the FTC’s complaint details a lengthy list of alleged “security insufficiencies” that allowed hackers to gain access to internal networks multiple times over an 18-month period, yet Wyndham stated publicly that it chose to fight the lawsuit because of its “strong belief” that it had deployed reasonable data security measures.  Whereas the FTC alleged Wyndham’s lax data security practices allowed hackers to effect $10.6 million in fraudulent credit card transactions, Wyndham still maintains that it “has not received any indication that any hotel customers experienced financial loss as a result of these attacks.”

Given the settlement, we will not have the benefit of the litigation process to determine where the truth lies.  Wyndham issued a statement saying the settlement “sets a standard for what the government considers reasonable data security of payment card information.”  I wouldn’t go that far, but let’s take a look at the settlement terms to see if they provide any guidance relating to data security practices.

Under the settlement, Wyndham is required to implement a “comprehensive information security program” and thereafter “maintain” it for a period of 20 years.  The settlement document lists the required “administrative, technical, and physical safeguards” of the program.  Basically, it requires Wyndham to identify “material internal and external risks,” implement “reasonable safeguards to control the risk,” and staff the program with competent employees/contractors.  There is nothing new or earth-shaking about that.

In addition, Wyndham must retain an independent auditor to perform annual audits under the Payment Card Industry Data Security Standard (PCI-DSS), a series of data security protocols for organizations that handle major credit cards.  Again, there is nothing new or earth-shaking about ensuring that an entity handling credit card transactions complies with industry standard data security protocols.

The FTC said the settlement was noteworthy because it requires Wyndham to adhere to standards “exceeding” those of the PCI-DSS, specifically including a requirement for Wyndham to protect the perimeter of its networks by using a firewall to create a barrier between its own servers and those of franchisees.  The lack of a firewall between franchisees’ servers and Wyndham’s own servers was a “critical gap that left the door open to hackers on three separate occasions,” according to a post-settlement statement from the FTC.

The FTC raises an important point about perimeter security.  Some folks have suggested that perimeter security is unnecessary as long as the data is protected end-to-end using encryption—regardless of which channels it goes through or its eventual destination.  The reasoning behind this so-called data security approach is that the encrypted data can be accessed only by the intended party and no one else.  But this line of reasoning has a lot of holes.  For example, encryption becomes useless once a network intrusion has occurred and cybercriminals operate with stolen valid user credentials.

Encryption is an essential component of any good data security infrastructure, but it is not, and cannot be the only piece.  All good data security infrastructures deploy a layered approach which includes firewalls and encryption, among other things.  A firewall is essential where there is any external connectivity, either to other networks or to the internet.  It is important that firewalls are properly configured, as they are a key weapon in combating unauthorized access attempts.

The FTC imposed no monetary penalties against Wyndham, but explained that it lacks authority in most data security cases to get civil penalties, although the agency is seeking that authority from Congress.

If you have questions about this case or want to discuss your data security practices with bTrade, send a confidential email to info@btrade.com.