A long-running dispute over companies' responsibility to protect customers' data concluded last week as Wyndham Hotels and Resorts settled charges that its security practices unfairly exposed consumers' credit card information to hackers.
Under terms of the settlement, the company will establish an information security program, conduct annual information security audits, and enforce the use of safeguards by its franchisees.
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
Wyndham noted that the settlement "does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief" and said it initially disputed the allegations 'based on our strong belief that we have had reasonable data security in place, and that the FTC’s position could have had a negative impact on the franchise business model."
In a prepared statement, the hotel chain said the settlement "sets a standard for what the government considers reasonable data security of payment card information."
Wyndham also noted that it "made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services and said that "to date Wyndham has not received any indication that any hotel customers experienced financial loss as a result of these attacks."
The proposed stipulated federal court order requires Wyndham Hotels and Resorts to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program. In addition, the order requires Wyndham’s audit to:
- certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;
- certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
- certify that the auditor is qualified, independent, and free from conflicts of interest.
The order also requires that in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, it must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.