In-brief: The Federal Trade Commission announced that it has reached a deal with Wyndham Hotels stemming from a string of data breaches that resulted in some $10 million in fraudulent charges. The hotel chain agreed to improve its information security practices.
After losing in court over the summer, Wyndham Hotels and Resorts on Wednesday agreed to settle charges filed by the Federal Trade Commission (FTC) stemming from a breach that exposed payment card information of hundreds of thousands of the company’s customers in three data breaches.
No monetary damages were assessed in the agreement, but the FTC said in a statement that under the terms of a settlement agreement, Wyndham will “establish a comprehensive information security program designed to protect card holder data” and obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard (PCI DSS).
Additionally, the hotel chain will need to certify that “untrusted” franchisee networks have been secured and hire qualified auditors to conduct formal risk assessments of the company.
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez in a published statement. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
The FTC sued Wyndham after three data breaches at the chain in 2008 and 2009 resulted in fraudulent charges to Wyndham customers totaling some $10.6 million. In a 2012 case, the FTC charged that Wyndham had engaged in “unfair cybersecurity practices that “unreasonably and unnecessarily exposed consumers personal data to unauthorized access and theft.” Among the failings: Wyndham had stored customers’ payment card data in clear text and regularly allowed the use of easily guessed passwords for accessing property management system.
The case is notable more for Wyndham’s attempt to fight the FTC than for the outcome, which many legal experts long predicted. In August, the U.S. Court of Appeals for the Third Circuit found that the FTC was within its rights to sue Wyndham Worldwide . The Commission acted within its statutory authority in fining the company for poor cybersecurity practices.
The ruling strengthened the hand of the FTC and the federal government in pushing private sector firms to strengthen cyber security measures, affirming information security protections with other kinds fair business practices governed by the FTC.