What Does the Wyndham-FTC Settlement Mean for Travelers?

December 9, 2015 | rjmcgarvey | InfoSec, Travel

rjmcgarvey01

Not as much as we wanted.

Call it half a loaf – but, as usual, a half loaf is generally better than no loaf at all.

That’s the coda to the long running FTC actions against Wyndham, which operates Ramada, Days Inn, Super 8, Dream Hotels, and Wyndham Hotels. This got its start as far back as 2008 when, said the FTC, a team of Russian hackers breached Wyndham’s computers.

It got worse. According to the FTC the same gang returned in 2009 and made off with more account information. Wyndham suffered three breaches from the gang, by the FTC’s tally.

By the FTC’s reckoning, some 619,000 accounts were breached.

That is ugly.

It’s of course also too common in the hotel business, where recent months have seen Trump, Mandarin Oriental, Hilton, Starwood and White Lodging (for a second time)  victimized in breaches. Hundreds of thousands of us – maybe millions – have had our credit card data stolen from the hotels to whom we entrusted it.

Independent security experts have also told me that – in addition to the hotels known to have been breached – very probably there are many more that have been breached but so far the breach has gone undetected. What this comes down to is a fundamental failure by many hoteliers to take customer privacy seriously.  They insist on a guest offering a credit card on check in – I think it must be 40 years ago when I last checked in without proffering a credit card and in that case a Fortune 25 company’s travel department had booked the room and was on the hook for the charges.

And then the hotel too often fails to protect that credit card data.

The Wyndham-FTC dance is important because this is the breach that has made it into the courts and nobody had thrown out the FTC’s right to badger Wyndham.  So there was reason to hope for clarity and strong guidelines regarding a hotel’s obligation to protect guest personal and credit card information.

Did that happen?

In its press release the FTC said that Wyndham had settled with the agency.  It added: “The proposed stipulated federal court order requires Wyndham Hotels and Resorts to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program.  In addition, the order requires Wyndham’s audit to:

     * certify the ‘untrusted’ status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;

  • certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company;
  • and certify that the auditor is qualified, independent and free from conflicts of interest.”

Probably the best bit is this: “The order also requires that in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, they must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.”  

Wyndham also agreed to follow this regimen for 20 years.

For its part, Wyndham, in a statement, said: “We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief.”

What is especially annoying about the settlement is this: “The consent order applies only to payment card information, and does not apply to any other categories of personally identifiable information,” said Wyndham.

That would seem to mean that loyalty program information, driver’s license numbers, home addresses, phone numbers and much of the rest of the personal information collected at check-in is not covered by the settlement.

The FTC nonetheless applauded its outcome.  “This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez in a statement. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”

That just maybe is the plus.  The government apparently is gaining clout in going after companies that have been breached and it about time.  Because more companies – more hotels in particular – will be breached and we travelers need all the powerful friends we can gather to help protect our privacy.  

Continue reading »

Leading Causes of Death Among Travelers: A Hierarchy of Risks

December 2, 2015 | rjmcgarvey | Travel

rjmcgarvey01

 

by Robert McGarvey

 

You may die when you travel abroad.  2466 of us did in the period 2011-2013, per data from the Centers for Disease Control.

But just maybe what you fear is not what will kill you. And what you take for granted, may.

Terrorism is causing many of us to cancel vacas to Paris, Belgium, and I even hear of people skittish about Berlin, Madrid and Rome.

Understand: I am all in if you are afraid of Tunisia, Syria, Lebanon, Bangladesh, Pakistan, Afghanistan, Iraq, Iran, Sudan, Somalia, Mali, Libya.

If you are especially cautious, you might cross off Turkey, Egypt, Kenya, Venezuela, Honduras, Saudi Arabia, and a few more places.

I would not quibble with this, tho I would note that at least a few of those places (Venezuela and Honduras for instance) have a lot more worries about crime than terrorism. A criminal may kill you in Honduras but you are not likely to bump into any terrorists there.

But there are places I would not go and most of them were just named.

Which brings us to the money question: if thousands of us die abroad, what kills us?

This chart sums it up in one picture. (Deaths in wars are excluded from this count.)

The single biggest killer – eliminating 600 of us, nearly a fourth in that CDC count – is road accidents.  

“The real risk is motor vehicle accidents – that’s the greatest threat,” agreed Phil Sylvester,  a safety expert with travel insurer World Nomads.

Have you ever been in a speeding car in India, for instance? Be afraid, be very afraid.

Even if you do not set foot in a car, you may be killed as a pedestrian in India, but also in many other nations.

In many countries – particularly in the developing world – road infrastructure is wretched, traffic laws are never obeyed, and the only thing that keeps motor vehicle deaths down are the horrendous traffic jams where nothing moves more than a mile or two an hour.

Countries with frightening traffic related death counts include Angola, Benin, the Central Africa Republic, Mozambique, Rwanda, the Solomon Islands, Sudan, and Uganda.

For travelers 55 and older, by the way, the leading cause of death is what you would predict: cardiovascular disease. By most counts, heart related deaths account for one in two American deaths abroad. In that vein, Jim Hutton, chief security officer at travel assistance company On Call International, said: “Most of the cases we deal with are medical.”

This CDC list is only a count of deaths from non natural causes.  

Leading cause #2 of non natural deaths: Homicides, with over 500 deaths.  Cf. the comments on Honduras above.

Said Sylvester, “your chances of dying in a terrorist incident are one in 20 million.” Your chances of dying in a mugging in Central or South America or parts of Asia just are higher.

Cause 3: suicide, with almost 400 victims. Mexico is where the largest number are recorded.  South Korea is 2.  Germany, Thailand and Costa Rica fill out the top five.  

That is a hard one to parse and it also is fact that different nations are quicker than others to label a death a suicide. (In the US we often prefer “accidental overdose.”) The US State Dept., which gathers these data, admits that very probably the count is incomplete – but nobody ventures an alternative guess.

Cause 4: Drowning. Per the CDC, “Drowning accounts for 13% of all deaths of US citizens abroad. Although risk factors have not been clearly defined, these deaths are most likely related to unfamiliarity with local water currents and conditions, inability to swim, and the absence of lifeguards on duty. Rip currents can be especially dangerous, as are sea animals such as urchins, jellyfish, coral, and sea lice. Alcohol also contributes to drowning and boating mishaps.

“Drowning was the leading cause of injury death to US citizens visiting countries where water recreation is a major activity, such as Fiji, the Bahamas, Jamaica, and Costa Rica.”

No other cause merits special notice because, by CDC count, none of them produces that many corpses.  In that bucket are all terrorist related deaths.
How to stay safe overseas? Simple. Avoid nations with horrible roads (at least don’t get in cars). Avoid nations with high violent crime rates. Avoid nations with lots of gun toting terrorists (mainly in the Middle East and Africa).  Just take those three  precautions and you’ll be as safe overseas – maybe safer – than you are in the US.

Continue reading »