The U.S. Federal Trade Commission and Wyndham Worldwide
Corp. have settled a data breach lawsuit by entering into a Stipulated Order
for Injunction. Under the settlement terms, which will be in effect for 20 years,
Wyndham must comply with several orders, including establishing a data security
program to protect cardholder data processed in the United States.
“Today’s settlement provides the company’s customers with
meaningful protections moving forward,” said Jessica Rich, director of the
FTC's Bureau of Consumer Protection.
The FTC first filed a compliant against Wyndham in 2012,
following three data breaches that occurred between 2008 and 2009. The FTC
claimed Wyndham failed to protect consumers’ personal information, resulting in
the compromise of more than 500,000 payment card accounts, the export of
“hundreds of thousands” of account numbers to a Russia-registered domain and
$10.6 million in fraud.
Wyndham filed a motion to dismiss the case, but an appeals
court denied
the request in August.
In a prepared release, Wyndham commented: “We chose to
defend against this litigation based on our strong belief that we have had reasonable
data security in place and that the FTC’s position could have had a negative
impact on the franchise business model. This settlement resolves these issues
and sets a standard for what the government considers reasonable data security
of payment card information.”
Requirements
According to the court order, Wyndham must develop and
implement a “comprehensive information security program” designed to protect any
cardholder data that is collected or received in the United States. Every Dec.
31 for the next 20 years, including 2015, Wyndham must provide certification
from an independent auditor that the security program meets the Payment Card
Industry Data Security Standard.
Unlike previous FTC cases involving data security order
requirements, Rich said the FTC imposed additional measures for Wyndham to
“safeguard connections between its servers and the servers of franchises that
process payment card transactions. This will close a critical gap that we
allegedly left the door open for hackers to breach the company on three
separate occasions.”
Additionally, the court has the right to request audits
beyond the annual assessment should Wyndham make “significant” changes to the security
system or if Wyndham experiences a data breach, Rich explained.
Future Financial
Protection
The FTC’s original complaint alleged Wyndham’s three
breaches resulted in $10.6 million in fraud and requested the court award
refunds and relief to affected consumers, but Rich said the settlement does not
provide any financial compensation.
However, the settlement allows the FTC to protect consumers
in the future, she said. “If Wyndham violates the order, there could be
additional monetary remedies.”
Wyndham’s statement noted that, to date, it “has not
received any indication that any hotel customers experienced financial loss as
a result of these attacks.”
Wyndham continued, “We’re pleased to reach this settlement
with the FTC. … Safeguarding personal information remains a top priority for
our company at a time when companies and government agencies are increasingly
the targets of cyberattacks.”