Wyndham Hotels Settles FTC Charges Following Three Data Breaches
Wyndham Hotels and Resorts has agreed to settle Federal Trade Commission (FTC) charges that the company's security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.
Under the terms of the settlement, the company will establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates. In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees' servers.
The proposed stipulated federal court order requires Wyndham Hotels and Resorts to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company's security program.
The order also requires that in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, they must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.
The order provides that if Wyndham successfully obtains the necessary compliance certifications, it will be deemed in compliance with the comprehensive information security program provision of the order. That provision is not effective, however, in the event that Wyndham in any way misleads or provides false information during the annual audit and assessment process.
Wyndham's obligations under the settlement are in place for 20 years.