Hotel conglomerate Wyndham Worldwide has agreed to settle Federal Trade Commission charges alleging that its poor data security practices unfairly exposed the payment card information of hundreds of thousands of consumers in a series of breaches, the agency announced Wednesday.
The settlement marks the end of long-running litigation that challenged the FTC's authority to take action against companies that fail to protect consumers' data.
Under the terms of the proposed settlement, Wyndham must "establish a comprehensive information security program designed to protect cardholder data" as well as conduct annual information security audits, among other steps designed to safeguard consumer's information, the FTC said. In the event of another data breach that affects more than 10,000 credit or debit card numbers, Wyndham would be required to get a written assessment of the breach and provide it to the FTC within 10 days. The company's obligations under the agreement would last 20 years, the agency said.
"Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area," said FTC Chairwoman Edith Ramirez in a news release. The FTC alleged that Wyndham failed to take basic security measures to protect customer data, despite assurance to customers. In August, a federal appeals court ruling related to the case bolstered the agency's ability to go after companies with lax security practices under its authority to protect consumers from unfair or deceptive practices.
The proposed settlement does not include financial penalties, a point Wyndham highlighted in its statement. "We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief," the company said in a news release.
Luxury hotel brands have been the target of a wave of cyberattacks in recent years. Just last month, Starwood Hotels warned of credit card breaches at more than 50 locations in incidents between November 2014 and October 2015.