Hotelier Wyndham Worldwide has agreed to a landmark settlement in a case that challenged the U.S. Federal Trade Commission’s authority to bring enforcement actions against companies for failing to protect consumer data.
The case arose from three data breaches at Wyndham that affected more than 619,000 consumers. Under the settlement, the company will establish a comprehensive security program designed to protect cardholder information including payment card numbers, names and expiration dates.
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” FTC Chair Edith Ramirez said in a news release. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
In August, a federal appeals court ruled the FTC had authority to regulate corporate cyber security, rejecting Wyndham’s challenge to the case. The 3rd U.S. Circuit Court of Appeals cited the agency’s broad powers under a 1914 law to protect consumers from unfair and deceptive trade practices.
Scott McLester, Wyndham’s general counsel, said the settlement is the first to establish standards for protecting payment card information. “It should send a message of comfort to the business community and consumers that the FTC has now published its expectations for what companies must do,” he told Reuters.
Wyndham’s brands include Days Inn, Howard Johnson, Ramada, Super 8, and Travelodge, as well as Wyndham. The FTC alleged Wyndham was liable for breaches in 2008 and 2009 in which hackers broke into its computer system and stole credit card and other details from customers, leading to over $10.6 million in fraudulent charges.
“The company’s computer systems unreasonably and unnecessarily exposed consumer data to the risk of theft,” the agency argued.
The settlement also requires Wyndham to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers. The company’s obligations under the agreement would last 20 years.