Regulatory Security Explanation (FTC v. Wyndham Worldwide Corp.)¶
Use this to explain your organization’s security posture and controls to a regulator (e.g., FTC); demonstrates program effectiveness and court-supervised compliance.
Purpose¶
This explanation frames the organization’s security posture for regulator, examiner, or counsel review in light of FTC v. Wyndham Worldwide Corp. It connects governance, technical controls, and evidence practices to the relevant legal or enforcement context so external stakeholders can assess control reasonableness and implementation maturity.
Hallucinated writing examples¶
Scenario: In an illustrative period after entry of the stipulated injunction on December 11, 2015 (time), Wyndham Hotel Group, LLC — Chief Information Security Officer (role) prepares a regulatory security explanation (type) for Federal Trade Commission (Staff Counsel) (audience).
REGULATORY SECURITY EXPLANATION
Introduction: This submission describes Wyndham’s information security program for payment card and guest data in connection with the Stipulated Order for Injunction entered on December 11, 2015, following the Commission’s complaint filed June 26, 2012 (Federal Trade Commission v. Wyndham Worldwide Corporation, et al., D.N.J.). The Third Circuit affirmed the FTC’s authority to pursue unfairness claims for unreasonable data security practices (*FTC v. Wyndham Worldwide Corp.*, 799 F.3d 236 (3d Cir. 2015)). The order requires a comprehensive information security program, PCI DSS-aligned assessments and certifications where specified, and long-running compliance and reporting obligations. The scope of this letter includes governance, risk assessment, safeguards across franchise and corporate environments, assessment processes, and evidence of operation. Detailed exhibits are provided under separate cover and cross-referenced in the attached evidence index.
Governance: A designated security leader coordinates the program with defined reporting to executive management and the board (or appropriate committee). Policies address access control, change management, logging, incident response, and oversight of franchise and property systems connected to Wyndham-branded payment environments. Charters, meeting cadence, and escalation paths are documented for examiner review.
Risk Management: The Company maintains a risk assessment process identifying material risks to payment card and guest information, including risks arising from network connections between franchised properties and corporate systems. Identified risks are mitigated, tracked, and revisited on a defined schedule; material items are escalated per policy.
Control Environment and Evidence Of Operation: Key controls by domain: (1) Network segmentation and remote access. Controls limiting and monitoring connectivity between property environments and corporate systems; monitored remote access paths. Evidence: network diagrams, firewall rule reviews, remote access logs (samples), change tickets. (2) Vulnerability and patch management. Scanning, prioritization, and remediation tracking for in-scope systems. Evidence: scan reports, remediation tickets, SLA metrics. (3) Logging and security monitoring. Collection and review of security-relevant events; incident response procedures. Evidence: SIEM configurations, alert samples, IR tickets, tabletop summaries. (4) PCI DSS assessment program. Engagement of qualified assessors; tracking of findings to closure as required by the order. Evidence: ROC/SAQ artifacts (as applicable), remediation evidence, certification records. (5) Vendor and franchise oversight. Security requirements and review processes for service providers and franchise technical connections in scope. Evidence: contracts, questionnaires, audit summaries.
Incidents and Remediation: The FTC’s complaint alleged multiple payment card data incidents involving Wyndham-branded hotels and failures of reasonable security. Remediation and program maturation have proceeded under the stipulated order’s requirements. The Company retains compliance records as specified and will produce additional materials upon request consistent with the order. This response is submitted for staff review and is supported by the attached evidence index.
Document-type guide: Regulatory Security Explanation
Writing tips: Writing best practices — Regulatory Security Explanation