On December 9, 2015, it was announced that Wyndham Hotels and Resorts reached an agreement with the Federal Trade Commission (FTC), because “the company’s security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.”
The quote attributed to FTC Chairwoman Edith Ramirez is unashamedly self-congratulatory: “This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security. Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
Personally, I’m already annoyed by the bad grammar – I actually expect my government headers and their teams of taxpayer-funded PR mavens to know that it’s “not only, but also.”
But more importantly, here’s my honest reaction to the so-called resolution to this case: Huh?
First, Look at the Timelines
The first reported data breach at Wyndham was in April 2008, followed by two additional breaches in April 2009 and “later in 2009.”
The FTC’s suit was filed in June 2012.
The stipulated order for injunction was filed in December 2015.
That’s seven years and eight months from the first data breach that caused harm to consumers, to an authoritative order from the federal government agency whose primary mission is to protect consumers.
Put that in perspective – at the time of the breach, Facebook had only been available to the general public for about six months. The iPad would not even be introduced for another nineteen months. A child born on the date of the first data breach would today be halfway through the second grade.
We’ve all heard the expression about the long arm of the law – but in this case, the arm of the law is long, slow, and – as we shall discuss next – ineffective.
Next, Look at the Actions
Setting aside the glacially slow timeline, what did the FTC’s order actually say? Among other things, Wyndham has to:
- “Establish and implement a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of Cardholder Data that it collects or receives in the United States from or about consumers” – okay, the PCI Data Security Standard that says they had to do this was formalized about three and a half years prior to the first breach, and was itself preceded by independent cardholder security programs of the five major brands
- Designate one or more employees to coordinate and be held accountable for the information security program – okay, this is the time-honored “one throat to choke” principle
- Identify material risks to Cardholder Data, and design and implement reasonable safeguards to control those risks – again, as PCI DSS has required since before the first breach
- Achieve an annual certification of compliance with the Payment Card Industry Data Security Standard, from a qualified, objective, independent third-party assessor, and correct any deficiencies found in the annual assessment within 60 days – still again, as PCI DSS has long required
In other words, after seven and two-thirds years of elapsed time, with the taxi meter of legal fees rolling up expenses for both the taxpayer and the shareholders of Wyndham Hotels and Resorts – the end result is that they have to protect cardholder data going forward, in compliance with PCI DSS. “Security theater,” meet “political theater.”
Netting it All Out
There’s plenty of blame and shame to go around:
- Shame on the management of Wyndham Hotels and Resorts, for not protecting the information of their customers in the first place
- Shame on consumers, for not voting with their buying behaviors – a quick look at Wyndham’s historical stock price (NYSE:WYN) indicates that they haven’t seemed to suffer very much from their (lack of) actions
- Shame on the FTC, for taking that long to achieve so little for consumers – and for letting Wyndham get away with basically having to start doing what it should have been doing all along
At best, maybe the precedent established from this decision is that another factor will now have to be included in the risk-based calculations regarding the return on investment of compliance, versus non-compliance, for protecting cardholder data. That is, organizations like Wyndham will have to consider not only the potential of fines by the cardholder brands, but also the time and legal costs of a no-op lawsuit with the FTC.
See that? – it’s “not only, but also.”