FTC Sues Wyndham Hotels

Author:Ms Amy Malone
Profession:Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

The Federal Trade Commission (FTC) has announced that it has filed suit in U.S. District Court in Phoenix against Wyndham Worldwide Corporation and three of its subsidiaries.  The lawsuit cites "alleged data security failures that led to three data breaches at Wyndham hotels in less than two years."   The breaches in question date back to 2008.

Details of the complaint are below.


Wyndham Worldwide: franchises and manages hotels throughout the U.S.

Wyndham Hotel Group ("Hotel Group"): subsidiary of Wyndham Worldwide Wyndham Hotel and Resorts ("Hotel and Resorts"): subsidiary of Wyndham Hotel Group and uses franchise agreements to license the Wyndham name to independently-owned hotels.  Hotel and Resorts provided "information technology services" to these franchises.  All online reservations for Wyndham-branded hotels are made through the Hotels and Resorts' site. Wyndham Hotel Management ("Hotel Management"): subsidiary of Wyndham Hotel Group and uses management agreements to license the Wyndham name to independently-owned hotels and "agrees to fully operate the hotel on behalf of the owner." The FTC makes a persuasive argument as to why all of the defendants make up a common business enterprise.  According to the complaint, "at all relevant times, Hotel Group and Wyndham Worldwide have performed various business functions on Hotel Management's behalf, or overseen such business functions, including legal assistance and information technology and security." Wyndham Worldwide is responsible for creating and maintaining oversight of security policies and procedures for itself and its subsidiaries.

Allegations set forth in the complaint and the FTC's description of the breaches:

Defendants' Deceptive Statements

Defendants' privacy policies or online statements say that they "safeguard our Customers' personally identifiable information by using standard industry practices." It also states that they take "commercially reasonable efforts to create and maintain 'fire walls' and other appropriate safeguards..."

Defendants Inadequate Data Security Practices

The Defendants engaged in numerous practices that put the security of their customers' personal information at risk.  Those practices include, but are not limited to:

Failing to use firewalls between networks Failing to encrypt stored payment card information Connecting branded hotels to the corporate network without first implementing adequate security measures at those locations Failing to...

To continue reading