Wyndham Worldwide Corp. has agreed to settle U.S. Federal Trade Commission charges that it failed to properly safeguard customer information, in a case arising from three data breaches affecting more than 619,000 customers.
Wednesday’s settlement, which requires court approval, ends a case that was considered a test of FTC power to fill the void from Congress’s failure to adopt wide-ranging legislation on data security.
A consent order outlining the settlement was filed with the federal court in Newark, New Jersey, 3-1/2 months after the 3rd U.S. Circuit Court of Appeals in Philadelphia said the FTC had authority to regulate corporate cyber security.
Under the order, Wyndham must establish a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates, the FTC said.
Wyndham was not fined or required to admit wrongdoing, but will comply with a widely used industry standard to protect the safety of payment card information. The Parsippany, New Jersey-based company’s obligations under the order last for 20 years.
The FTC wanted to hold Wyndham accountable for breaches in 2008 and 2009 in which hackers broke into its computer system and stole credit card and other details from customers, leading to more than $10.6 million in fraudulent charges.
Wyndham’s brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge, as well as Wyndham.
Scott McLester, Wyndham’s general counsel, said the FTC order is the first to establish standards for data security, with regard to protecting payment card information.
“It should send a message of comfort to the business community and consumers that the FTC has now published its expectations for what companies must do,” he said in an interview.
Wyndham said it has no indication that any customers suffered “financial loss” from the attacks.
The new security program does not cover various franchised hotels, but requires Wyndham to take into account risks that may emanate from them, according to the consent order.
“It shows that if companies want to give licensees access to their networks, they’re going to be held to the same security standards,” Craig Newman, a partner at Patterson Belknap Webb & Tyler, said in an interview.
In letting the FTC pursue its case, the Philadelphia appeals court cited the agency’s broad authority under a 1914 law to protect consumers from unfair and deceptive trade practices.
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” FTC Chairwoman Edith Ramirez said in a statement. “The court rulings in the case have affirmed the vital role the FTC plays in this important area.”
Security has been a growing concern after breaches such as at retailer Target Corp., infidelity website Ashley Madison, and even U.S. government databases.
Wyndham said “safeguarding personal information remains a top priority” for the company.
The case is Federal Trade Commission v Wyndham Worldwide Corp et al, U.S. District Court, District of New Jersey, No. 13-01887.
(Reporting by Jonathan Stempel in New York; Editing by Alden Bentley, David Gregorio and Diane Craft)