In the past, the FTC’s ability to enforce organization’s data security and breach notification process was vague and sparked conversation on Capitol Hill about creating new legislation on their role. Currently, the only guidelines, under a 1913 FTC Act, state that “companies that fail to provide adequate security for consumer data are engaged in an unfair or deceptive practice.”

FTC vs. Wyndham Hotels and Resorts

The recent ruling was ignited by an enforcement action against Wyndham Hotels and Resorts after more than 600,000 customer records were accessed in three different data breaches. The compromised data was sold on the Dark Web and resulted in more than $10 million in fraudulent credit card charges.

While it’s likely that Wyndham, as with most large organizations, had some cybersecurity protocols in place, they weren’t doing enough to protect their customers’ personal information and will now face the consequences.

Wyndham settled in December 2015 and agreed to “establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates.  In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.”

Aside from the cost to the company in punitive damages, the repercussions to their reputation could be more costly in the long run. Once trust has been broken with a customer base, it could take years for an organization to regain that relationship.

What Could Wyndham Have Done?

In today’s complex and ever-changing IT landscape, most cyber intelligence tools can only help an organization monitor and combat threats within their internal networks.

Any organizations that possess client data should also be monitoring the Dark Web as part of a comprehensive security program to prevent or act immediately when a data breach occurs. 

Dark Web ID was created to address these specific issues. Dark Web ID’s platform provides external monitoring reports of a network’s registered online credentials, identifying compromised credentials in real time. The speed of an organization’s response to a breach is a critical factor in providing damage control and could have likely prevented the subsequent breaches at Wyndham.

The current presidential administration and lawmakers are taking notice and focusing on boosting the FTC’s ability to punish organizations for not doing their due diligence when it comes to protecting their customers’ information. Is your organization doing enough?

Like