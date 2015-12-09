* Hotel operator must adopt comprehensive security program
* Breaches affected more than 619,000 customers
* No fine or admission of wrongdoing
Dec 9 Wyndham Worldwide Corp has agreed
to settle U.S. Federal Trade Commission charges that it failed
to properly safeguard customer information, in a case arising
from three data breaches affecting more than 619,000 customers.
Wednesday's settlement, which requires court approval, ends
a case that was considered a test of FTC power to fill the void
from Congress's failure to adopt wide-ranging legislation on
data security.
A consent order outlining the settlement was filed with the
federal court in Newark, New Jersey, 3-1/2 months after the 3rd
U.S. Circuit Court of Appeals in Philadelphia said the FTC had
authority to regulate corporate cyber security.
Under the order, Wyndham must establish a comprehensive
information security program designed to protect cardholder data
including payment card numbers, names and expiration dates, the
FTC said.
Wyndham was not fined or required to admit wrongdoing, but
will comply with a widely used industry standard to protect the
safety of payment card information. The Parsippany, New
Jersey-based company's obligations under the order last for 20
years.
The FTC wanted to hold Wyndham accountable for breaches in
2008 and 2009 in which hackers broke into its computer system
and stole credit card and other details from customers, leading
to more than $10.6 million in fraudulent charges.
Wyndham's brands include Days Inn, Howard Johnson, Ramada,
Super 8 and Travelodge, as well as Wyndham.
Scott McLester, Wyndham's general counsel, said the FTC
order is the first to establish standards for data security,
with regard to protecting payment card information.
"It should send a message of comfort to the business
community and consumers that the FTC has now published its
expectations for what companies must do," he said in an
interview.
Wyndham said it has no indication that any customers
suffered "financial loss" from the attacks.
The new security program does not cover various franchised
hotels, but requires Wyndham to take into account risks that may
emanate from them, according to the consent order.
"It shows that if companies want to give licensees access to
their networks, they're going to be held to the same security
standards," Craig Newman, a partner at Patterson Belknap Webb &
Tyler, said in an interview.
In letting the FTC pursue its case, the Philadelphia appeals
court cited the agency's broad authority under a 1914 law to
protect consumers from unfair and deceptive trade practices.
"This settlement marks the end of a significant case in the
FTC's efforts to protect consumers from the harm caused by
unreasonable data security," FTC Chairwoman Edith Ramirez said
in a statement. "The court rulings in the case have affirmed the
vital role the FTC plays in this important area."
Security has been a growing concern after breaches such as
at retailer Target Corp, infidelity website Ashley
Madison, and even U.S. government databases.
Wyndham said "safeguarding personal information remains a
top priority" for the company.
The case is Federal Trade Commission v Wyndham Worldwide
Corp et al, U.S. District Court, District of New Jersey, No.
13-01887.
