The Wyndham case has settled. Here are several observations about the settlement:
- If Wyndham obtains a clean PCI-DSS assessment, Wyndham enjoys a presumption that it is in compliance with the requirement to have a “comprehensive information security program.” The presumption is important, because it is in effect a safe harbor from civil penalty/contempt actions. The FTC will have to go to court and overcome that presumption.
- Wyndham’s presumption can be invalidated if 1) Wyndham made a misrepresentation to the assessor or 2) Wyndham changed its technical architecture. Both 1 & 2 are important, meaningful exceptions. There is no mens rea attached to a false misrepresentation, so presumably any misrepresentation, including one made without fraudulent intent, would suffice. Also, companies do change their architecture in order to game assessments.
- The FTC did not secure much “fencing in” relief. The order principally pertains to card data security, despite labeling it a “comprehensive information security program.”
- Wyndham negotiated different treatment for its franchise hotels.
- It looks as though properties that Wyndham sells are no longer subject to the order.
- On the upside, in negotiating this settlement, the FTC has elevated its assessment standards in a sense. PCI, for all its problems, looks more like a standard that can be audited against, rather than “assertions” that are “assessed” in other privacy/security cases.