Breached hotel chain settles with FTC in landmark case

The Federal Trade Commission (FTC) on Wednesday settled a lawsuit with hotel chain Wyndham Worldwide that alleged the company’s poor data security exposed customer data to hackers.

The settlement is the final period in a court battle that spanned several years and threatened the FTC’s power to go after companies over their data security practices.

ADVERTISEMENT

Wyndham had challenged the FTC’s authority, seeking to dismiss the lawsuit against it. But in August, a federal appeals court sided with the FTC, setting off negotiations that led to the settlement.

“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” FTC Chairwoman Edith Ramirez said in a release. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”

Under the proposed agreement, Wyndham will be required to “establish a comprehensive information security program designed to protect cardholder data,” the FTC said. The company will also have to undergo annual security audits to ensure compliance.

The FTC brought its case after hackers infiltrated Wyndham’s network three times between 2008 and 2010, stealing the credit and debit card information of more than 600,000 patrons.

The agency has brought more than 50 such data security cases, but the vast majority are settled with consent decrees and don't end up in court.

Wyndham was one of the first companies to push back and take on the FTC.

Wednesday’s settlement could set a precedent for future enforcement actions.

The FTC has become the de facto data security regulatory agency in recent years, filling the void left by Congress’s inability to move a data breach bill that would set nationwide security standards.

The White House has backed legislation that would direct the FTC to set these standards.