Editor’s Note: The FTC/Wyndham issue should be seen as a subset of the overall debate on cybersecurity regulation. More specifically, the question is whether federal regulation of private sector cybersecurity will be implemented piecemeal in an ad hoc fashion by various agencies, with little predictability and the potential inter-agency conflicts, or in a coordinated, cost-effective basis.
From: Ballard Spahr, LLP
by Kim I. McCullough, David A. Haworth, and Mercedes Kelley Tunstall
The Federal Trade Commission’s recent lawsuit against Wyndham Worldwide may mark the beginning of FTC enforcement actions targeting franchise systems through allegations of customer data security vulnerabilities in franchisors’ technology platforms or the platforms maintained by their franchisees. This lawsuit is the latest in a string of more than 30 legal actions—all of which have resulted in settlements—intended to address allegedly misleading consumer privacy policies and inadequate data security policies and practices. While targets of FTC privacy actions have included companies of all sizes, the Wyndham suit is the first to target a franchise system.
Wyndham is challenging the suit, arguing that the FTC lacks authority to regulate data security and that the FTC’s allegations are baseless because they relate to customer data collected by independent franchised locations, and not by the franchisor. In light of this most recent enforcement action, franchisors should take the opportunity to review their data security and website privacy policies and examine their credit card management and other technology systems, including those accessible to franchisees.
The Wyndham lawsuit, filed June 26, 2012, in the U.S. District Court for the District of Arizona, alleges that more than 500,000 credit card numbers were stolen, along with customers’ personal information, resulting in fraudulent charges in excess of $10.6 million. The allegations focus on the franchise system’s ability to prevent data security breaches through control of the configuration and password policies of computer systems and servers located at the corporate data center and franchisee/vendor locations, as well as the system’s ability to limit a non-compliant franchisee’s access to the franchisor’s networks. The complaint alleges that on two occasions, hackers compromised a computer server at a franchised location and then used the compromised server to access networked servers at other franchised or company-managed locations. In a third instance, a vendor’s account password was allegedly hacked on a corporate server, which then permitted the hackers to install access servers at franchised locations.
The FTC’s complaint alleges that Wyndham and its subsidiaries violated Section 5(a) of the FTC Act, 15 U.S.C. §45(a), which prohibits “unfair or deceptive acts or practices in or affecting interstate commerce.” The complaint alleges that a Wyndham subsidiary’s data-security practices were “unfair” because they allegedly failed to ensure “reasonable and appropriate” protections for consumer information. The complaint also accuses the Wyndham subsidiary of making deceptive statements on its online privacy policy concerning its data security.
The motion to dismiss filed by Wyndham and its affiliates raises a significant challenge to the FTC’s legal authority to prosecute the action in the first instance. Wyndham argues that the lawsuit exceeds the FTC’s mission and regulatory authority under 15 U.S.C. §45(a) and must be dismissed. Specifically, Wyndham argues that the FTC is not authorized under the FTC Act to establish minimum criteria for data security policies, design criteria for complex network operating software, or regulate consumer credit card data. Moreover, Wyndham argues that the FTC’s authority in the area, if any, can only be exercised through the rulemaking processes after public comment.
On August 28, 2012, Wyndham and its affiliates sought dismissal of the FTC’s suit, citing among various reasons that the pleadings lacked specificity. Wyndham’s motion states that no data it collected is alleged to have been compromised, but rather only data collected by “independent Wyndham branded hotels.” It further argues that the privacy policy on the Wyndham subsidiary’s corporate website, which the FTC claims was deceptive, makes no representations about the security of data collected by franchised locations, noting that those locations operate independently of the franchisors and have their own data security rules. Indeed, the privacy policy explicitly disclaims making any representations about data security at the franchisee level. The FTC’s opposition to the motion to dismiss was due October 1, 2012.
As a practical matter, regardless of the outcome to the challenge to the FTC’s enforcement authority, the FTC’s potential new focus on franchise systems raises many compliance and legal concerns for franchise systems within the privacy and data security area. Even if the claims against Wyndham are dismissed, the FTC’s allegations highlight the possibility of other types of data breach and privacy claims.
Thus, franchisors should consider closely scrutinizing their stated privacy policies as well as their underlying credit card management and other technology systems, including those to which franchisees are granted access. For example, the complaint suggests that from the FTC’s perspective, a franchisor that provides or licenses technology systems to franchisees has significant obligations to control the manner in which the technology system can be configured at the franchised locations and to limit or prevent access to protected customer information between franchised systems through the use of internal firewalls. The franchisor’s obligations under the circumstances in that case seem to include, according to the allegations in the complaint:
- Requiring that default passwords on all franchisor, franchisee, and vendor accounts be changed with passwords that are not easily susceptible to being guessed in brute force attacks
- Designing appropriate firewalls between and among servers and franchisee locations
- Requiring franchised locations to establish and implement information security policies and website privacy policies reflecting their online practices before allowing connections to the franchisor’s networked systems
- Ensuring that franchisee locations maintain current and supported server software and security, and potentially disallow access to outdated systems lacking security updates
- Inventorying networked computers so that devices can be managed and the origin of attacks from within the corporate network can be identified
- Establishing incident response procedures and an intrusion detention or monitoring system
- Restricting vendor or other third-party access to internal computer networks
This list is, of course, case specific and non-exclusive.
Franchise systems, and particularly mid-sized and smaller systems with limited internal security expertise, should consider seeking immediate legal and technical guidance to ensure that their security systems and design, technology systems, licensing policies and procedures, and franchise systems are structured to minimize the liability exposure of franchisor and franchisees alike to data breaches and other privacy-related claims. Similarly, reservation and payment systems should be reviewed closely for compliance with local and federal statutes, rules, and regulations.
Leave a Reply