Wyndham: A Case Study in Cybersecurity: How the cost of a relatively small breach can rival that of a major hack attack
Timothy Cornell of Clifford Chance US LLP has an interesting write-up on the Wyndham case that really details the time and labor costs of responding to a government investigation following a data breach. Here’s an example:
On April 8, 2010, the FTC began to investigate Wyndham Worldwide and three of its subsidiaries (collectively “Wyndham”), sending Wyndham a voluntary request for information. The FTC’s investigatory focus, as stated in that April 8, 2010 letter, was to determine: “whether Wyndham’s information security practices comply with Section 5 of the [FTC] Act, which prohibits deceptive or unfair acts or practices, including misrepresentations about security and unfair security practices that cause substantial injury to consumers.” The FTC’s request contained 14 detailed inquiries (most with subparts) and sought information about Wyndham’s IT architecture, cybersecurity policies, and the three data breaches that occurred. It took Wyndham more than five months to locate all responsive documents. 
During 2010 and the first half of 2011, the FTC sent three supplemental requests for information and documents, and also posed oral requests at meetings between the parties. In total, 29 document requests and 51 information requests were issued to Wyndham prior to December 2011. Wyndham produced over 1 million pages of documents and written responses that totaled 72 pages single spaced. In addition, Wyndham Worldwide’s CFO and head of Information Security – along with attendant inside and outside counsel – attended seven in-person meetings with the FTC. The time and cost associated preparing for each of those meetings was likely significant.
Wyndham estimated that its response cost exceeded $5 million in legal and vendor fees. And that estimate did not include the time employees spent responding to the requests or the business disruption caused thereby, nor the costs associated with preparing for meetings with the FTC.
Read more on The Metropolitan Corporate Counsel.