Wyndham settles U.S. data breach charges, in an FTC first
By Jonathan Stempel
(Reuters) - The Federal Trade Commission has settled a lawsuit accusing hotel group Wyndham Worldwide Corp WYN.N of failing to properly safeguard customer information, in a case arising from three data breaches affecting more than 619,000 customers.
The consent order on Wednesday was filed with the federal court in Newark, New Jersey, 3-1/2 months after a federal appeals court in Philadelphia said the FTC had authority to regulate corporate cyber security.
The case was considered a test of FTC power to fill the void from Congress's failure to adopt wide-ranging legislation on data security.
Wyndham's brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge, as well as Wyndham. The FTC wanted to hold Wyndham accountable for breaches in 2008 and 2009 in which hackers broke into its computer system and stole credit card and other details from customers, leading to over $10.6 million in fraudulent charges.
Scott McLester, Wyndham's general counsel, said the FTC order is the first to establish standards for data security, with regard to protecting payment card information.
"It should send a message of comfort to the business community and consumers that the FTC has now published its expectations for what companies must do," he said in an interview.
Under the order, Wyndham will establish a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates.
The Parsippany, New Jersey-based company was not required to admit wrongdoing or pay a fine, but will comply with a widely used industry standard to protect the safety of payment card information. Its obligations under the consent order last for 20 years. Continued...