Complaint Holds Wyndham Hotels Accountable for Alleged Data Security Flaws at Independent Franchisee Locations
On June 26, 2012, the Federal Trade Commission (“FTC”) filed a lawsuit against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries (the “Defendants”) alleging that the companies engaged in unfair and deceptive practices and violated Section 5 of the FTC Act by failing to implement adequate data security protections on computer systems located at 90 independently-owned Wyndham-branded hotels with whom the Defendants maintained franchise agreements.
The FTC’s Complaint is significant for two reasons. One, it represents the first time that the FTC will litigate its theory as to whether an entity’s privacy and data security practices were deceptive and unfair under Section 5 of the FTC Act (past FTC cases have resulted in pre-litigation settlements or informal closings of investigations). Two, the lawsuit reflects the FTC’s position on what facts might cause a corporate brand to be held legally responsible under the FTC Act for the privacy and information security practices of a franchisee and affiliated third parties.