Wyndham Worldwide has come to an agreement with the U.S. Federal Trade Commission (FTC) regarding the agency’s investigation into a series of data breaches at some of the hospitality giant’s hotels.
The FTC sued Wyndham Worldwide in 2012 for security failures that resulted in three data breaches between 2008 and 2010. The breaches at Wyndham Hotels and Resorts properties allegedly resulted in the theft of data associated with hundreds of thousands of payment cards and fraudulent charges totaling millions of dollars.
In response to the FTC’s accusations, Wyndham argued that it responded appropriately to the data breaches — it promptly alerted authorities, hired forensics experts to investigate the incident, implemented security enhancements, notified affected customers and offered them credit monitoring services. Furthermore, the company says it hasn’t received any indication that its customers experienced financial loss due to the attacks.
Earlier this year, Wyndham challenged the FTC’s authority to take action against organizations with poor data security practices, but the U.S. Court of Appeals for the Third Circuit ruled that the FTC can sue firms that fail to safeguard consumer data.
Wyndham has now agreed to settle FTC charges, but the company will not have to pay a fine or admit to any wrongdoing. Instead, it will have to establish a comprehensive information security program designed to protect payment card data, and conduct annual security audits. The company will also have to ensure that the networks of its franchisees are properly protected.
The FTC has pointed out that these obligations are in place for 20 years.
“We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief. We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC’s position could have had a negative impact on the franchise business model,” Wyndham stated.
“This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information. Safeguarding personal information remains a top priority for our company at a time when companies and government agencies are increasingly the targets of cyberattacks,” the company added.