Note: A conference call for media with Jessica Rich, Director of the FTC Bureau of Consumer Protection, will occur as follows:
Date: Dec. 9, 2015
Time: 12:00 p.m. ET
Call-in: (800) 230-1093, confirmation number 380593
Call-in lines, which are for media only, will open 15 minutes prior to the start of the call. Rich and FTC staff will be available to take questions from the media about the case.
Wyndham Settles FTC Charges It Unfairly Placed
Consumers’ Payment Card Information At Risk
Wyndham Hotels and Resorts has agreed to settle FTC charges that the company’s security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.
Under the terms of the settlement, the company will establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates. In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.
The settlement concludes federal court litigation initiated by the FTC in 2012 and follows an August 2015 opinion by the Third Circuit Court of Appeals upholding the FTC’s authority over data security practices it charges are unfair pursuant to Section 5 of the FTC Act.
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
The proposed stipulated federal court order requires Wyndham Hotels and Resorts to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program. In addition, the order requires Wyndham’s audit to:
- certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;
- certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
- certify that the auditor is qualified, independent and free from conflicts of interest.
The order also requires that in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, they must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.
The order provides that if Wyndham successfully obtains the necessary compliance certifications, it will be deemed in compliance with the comprehensive information security program provision of the order. That provision is not effective, however, in the event that Wyndham in any way misleads or provides false information during the annual audit and assessment process.
Wyndham’s obligations under the settlement are in place for 20 years.
The Commission vote approving the proposed stipulated order was 4-0. The FTC filed the proposed stipulated order in the U.S. District Court for the District of New Jersey.
NOTE: Stipulated orders have the force of law when approved and signed by the District Court judge.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.
For more information, click here.