FTC, Wyndham Hotels settle hacking case

Wyndham won't get fined, but must submit to oversight during the next 20 years

The Federal Trade Commission and Wyndham Hotels and Resorts have agreed to settle a case involving the company's security practices that led to the exposure of credit card information for more than 600,000 consumers.

Wyndham will not face a fine and will not have to admit wrongdoing, but the injunction requires Wyndham to submit to oversight for the next 20 years. Wyndham and the FTC both waived their rights to an appeal.

The settlement comes three months after a U.S. appellate court ruled the FTC can sue Wyndham over computer system hacks in 2008 and 2009. The ruling validated the FTC's power to pursue legal remedies from companies it deems to have inadequately invested in computer security as judged by claims made via their privacy policies.

At the time of the appellate court ruling, Electronic Privacy Information Center attorney Alan Butler told Wired magazine, "This is a huge victory for the FTC, but also for American consumers."

The court injunction was filed in U.S. District Court for the District of New Jersey.

As part of the agreement, Wyndham must develop "a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of Cardholder Data that it collects." The company must also provide an annual written assessments as to compliance with the Payment Card Industry Data Security Standard (PCI DSS).

"This settlement marks the end of a significant case in the FTC's efforts to protect consumers from the harm caused by unreasonable data security," FTC Chairwoman Edith Ramirez said in a statement. "Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area."