Skip to content
?Flickr Photo byYuri Samoilov?

Wyndham Agrees to Annual Audits to Settle FTC Data Security Suit

?Wyndham Worldwide Corporation agreed today to annual audits to settle a lawsuit�with the Federal Trade Commission (FTC) charging that it unfairly exposed payment card information of hundreds of thousands of consumers to hackers in separate data breaches over a three-year period.

�This settlement marks the end of a significant case in the FTC�s efforts to protect consumers from the harm caused by unreasonable data security,� said FTC Chairwoman Edith Ramirez in apress release. �Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.�

The settlement does not hold Wyndham liable for any violations or require it to pay any monetary relief. However, it�does�require�Wyndham to create a comprehensive information security program designed to protect cardholder data, such as payment card numbers, names, and expiration dates.�

Wyndham is also required to conduct annual information security audits and to maintain safeguards in connection to its franchisees� servers. These audits must conform to the Payment Card Industry Data Security Standard for certification of a company�s program.

Additionally, under the settlement Wyndhammust certify the �untrusted� status of franchisee networks to prevent future hackers from using the same method they did in prior breaches of the corporation. It also must certify the extent of compliance with a formal risk assessment process to analyze possible data security risks, and certify that the auditor is qualified and free from conflicts of interest.

Furthermore, if Wyndham is breached again and the security breach affects more than 10,000 payment card numbers, it must assess the breach and provide that information to the FTC within 10 days.�

Wyndham will be in compliance with the settlement order�s comprehensive information security program provision if it �successfully obtains the necessary compliance certifications,� according to the press release. �That provision is not effective, however, in the event that Wyndham in any way misleads or provides false information during the annual audit and assessment process.�

The settlement order will apply to Wyndham for the next 20 years, and thecorporation said in a statement that it is �pleased� to reach it.

�We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC�s position could have had a negative impact on the franchise business model,� Wyndham said. �This settlement resolves those issues, and sets a standard for what the government considers reasonable data security of payment card information. Safeguarding personal information remains a top priority for our company at a time when companies and government agencies are increasingly the targets of cyberattacks.�

The settlement stems from a case brought by the FTC against Wyndham in 2012 after hackers successfully accessed its computer systems three times, stealing personal and financial information for hundreds of thousands of consumers, leading to more than $10.6 million in fraudulent charges.

Prior to the hacks, Wyndham �falsely told consumers that it followed industry standard practices� for cybersecurity to protect their data, the FTC found. In 2012, it filed suit against Wyndham, alleging that its conduct was an unfair cybersecurity practice that �taken together, unreasonably and unnecessarily exposed consumers� personal data to unauthorized access and theft,� according to court documents.

For more details on the lawsuit, read Security Management�s December Legal Report.