Board Pack (FTC v. Wyndham Worldwide Corp.)¶
Use this to brief executives and counsel.
Purpose¶
This board brief provides decision-useful context for FTC v. Wyndham Worldwide Corp.: payment-card intrusion allegations, Third Circuit affirmance, the stipulated injunction, franchise connectivity risk, and specific oversight decisions requested from directors. It is designed to help the board evaluate governance adequacy, remediation priority, and reporting cadence across legal, technical, and operational dimensions.
Hallucinated writing examples¶
Scenario: In an illustrative period following the Third Circuit decision and entry of the stipulated injunction (time), the Chief Information Security Officer (role) prepares a board security brief (type) for Board Audit Committee (audience).
MEMORANDUM
This memorandum summarizes the Federal Trade Commission’s enforcement action alleging unfair data security practices related to payment card information at Wyndham-branded properties, the Third Circuit’s decision in Federal Trade Commission v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), and the Stipulated Order for Injunction entered December 11, 2015, including PCI DSS–aligned assessment obligations and requirements addressing network connections between properties and corporate systems.
Incident Summary: The FTC alleged three intrusions between 2008 and 2009 involving property systems and corporate connectivity, with large-scale payment card data exposure and fraudulent charges. After denial of Wyndham’s motion to dismiss, the Third Circuit affirmed the FTC’s Section 5 unfairness authority in this context. The matter resolved with a stipulated order requiring a comprehensive information security program and sustained assessment and reporting obligations.
Franchise and property variability increases operational complexity for consistent technical baselines and auditable evidence.
Regulatory and Legal Outcomes: The stipulated order imposes long-running obligations to maintain and document controls for payment card data, connectivity risk, logging and monitoring, and franchise oversight. Failure to close assessment findings or to maintain connectivity inventories creates repeat supervisory and reputational risk. Management reports progress against order milestones to legal and compliance leadership.
Control Failures and Root Causes: The public complaint and related materials emphasized:
- Inadequate segmentation and monitoring between Wyndham-branded hotel property systems and corporate networks;
- Weak remote-access and credential practices, including default configurations and inconsistent franchise conformance;
- Insufficient centralized visibility and incident response discipline across repeated intrusion events;
- Board and management reporting that did not reflect the technical risk concentration in payment environments.
These areas are the focus of our remediation plan.
Remediation and Order Compliance: The Company is implementing connectivity inventories with owners, segmentation baselines, MFA and vendor access governance for payment paths, centralized logging for in-scope segments, and PCI-related assessment remediation tracking with board-visible aging. Independent assessments occur on the cadence required by the order.
Approval and Endorsement Requests: Management requests the Committee’s approval of the program governance model and annual assessment budget; endorsement of escalation policy for franchise-managed technical exceptions; and confirmation of quarterly KPI reporting on open assessment findings, mean time to remediate, and connectivity exceptions.
Please let me know if additional information or further detail would be helpful.
Respectfully submitted,
Chief Information Security OfficerDocument-type guide: Board Security Brief
Writing tips: Writing best practices — Board Security Brief