In July 2012, in our blog we discussed Wyndham Hotel Group’s cyber security breaches that took place from 2008-2010 and affected more than 500,000 customers, and the resulting lawsuit brought against the hotel giant by the Federal Trade Commission (FTC). The FTC had alleged that misrepresentations were made in relation to the types of security measures the group had made to prevent hackers from attacking. The FTC claimed that the breaches were as a result of Wyndham’s failure to properly use complex passwords, a network setup that didn’t properly separate corporate and hotels systems, and “improper software configurations” that led to sensitive payment card information being stored without encryption. In fact, according to the federal agency, as much as $10.6 million in fraudulent credit card charges were made due to these failures. What’s more, the FTC had asked a federal court to require Wyndham to do better—and to “redress injury” caused by the hacking.
Wyndham last year vowed to fight the charges alleged by the FTC and is now asking the judge in the case to throw out the agency’s complaint, saying the lawsuit amounts to an “unprecedented power grab in which the FTC is seeking to hold businesses responsible for hacking, rather than the hackers themselves”.
“This is the Internet equivalent of punishing the local furniture store because it was robbed and its files raided,” Wyndham said in a recent court filing.
Additionally, according to Wyndham the FTC brought the case without ever providing companies with any guidance on what security practices they should adopt. In fact, Congress has yet to provide any Washington agency explicit authority to regulate corporate cyber security in general or order companies to beef up the security of their systems. Instead, the FTC, citing its long-standing power to protect consumers, has stepped into the breach. The agency based this case and other similar ones on its authority under Section 5 of the Federal Trade Commission Act, a broadly written law first enacted in 1914 that authorizes the commission to act against a company that harms consumers by taking unfair or deceptive action.
We’ll keep you posted on the progress of this case and others in the hospitality industry. Cyber security is an issue for all industries, especially hospitality, which deals with personal customer data in its multitude of transactions. According to a 2012 Verizon Communications Report, the accommodation and food service industries accounted for half of all breaches. Moreover, the risk of a data breach is not one that only large operations face; smaller, independent enterprises are also vulnerable because hackers feel they can easily get into the systems as they are not as secured.
Our breadth and depth of experience in insurance hotels and resorts provides us with the specialty needed to fully understand the exposures hotels and resorts face regarding cyber security and privacy issues. At IPOAUSA, we have an exclusive Hotel Insurance Program with Lloyd’s for limited and full-service hotels offering Data Breach coverage. Written through Beazley, this coverage includes breach notification and credit monitoring services with separate coverage limits for third party claims; breach response coverage for forensic and legal assistance, and notification costs; bureau credit monitoring services; crisis management sublimit for public relations and extraordinary notification expense; a separate limit of liability for privacy, network security and media claims; and more. There is a $100,00 PCI restriction.
For more information about our hospitality insurance program and our Data Breach coverage for limited and full-service hotels, please call Stefan Burkey at 877.653.IPOA (4762).