WASHINGTON (12/10/15)--Wyndham Hotels and Resorts has agreed to establish a comprehensive information security program and conduct annual audits as part of a settlement agreement with the Federal Trade Commission (FTC).
The settlement follows FTC charges that Wyndham’s security practices unfairly exposed payment card information of hundreds of thousands of consumers in three separate data breaches.
Under the terms of the settlement, Wyndham must establish a comprehensive information security program designed to protect cardholder data, including payment card numbers, names and expiration dates.
In addition, the company is required to conduct annual information security audits that certify the “untrusted” status of franchisee networks, to prevent future hacks from using the same method used in the prior breaches.
In the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, it must obtain an assessment of that breach and provide the assessment to the FTC within 10 days.
These obligations are in place for 20 years.
According to the FTC, the settlement concludes federal litigation initiated by the FTC in 2012, and follows an August opinion from the Third Circuit Court of Appeals that upheld the FTC’s authority over data security practices.