Skip to main content

Wyndham Settles FTC Data Security Enforcement Case

CSR Thoughts...

This settlement represents how data security MUST be business's priority. There are no excuses when it comes to data privacy and the FTC is making a resiliant statement that they will not allow it to happen again with the decision to monitor Wyndham for a 20 year period.  This will not just force Wyndham to maintain a higher level of data privacy and security, but it will force them to exceed the standard.  With fines, cost for implementing and maintaining a data security program, costly PCI audits and FTC audits; Wyndham will be exponentially paying for their lax security for decades to come.



Bloomberg BNA

Hotelier Wyndham Hotels & Resorts LLC today agreed to settle Federal Trade Commission charges that lax data security allowed breaches of personal information of some 100,000 customers.

“I’m not surprised by this result. I get both sides. It looks like they both came to the table in good faith to come to a practical and sensible order,” Linn F. Freedman, a partner at Robinson & Cole LLP in Providence, R.I., told Bloomberg BNA.

The case involved one of the most anticipated privacy and data security rulings in years when the FTC's authority to bring data security enforcement action under the unfairness prong of Section 5 of the FTC Act against was affirmed in August by the U.S. Court of Appeals for the Third Circuit.

Under the stipulated order for injunction was filed in the U.S. District Court for the District of New Jersey Wyndham agreed to:

  • implement a comprehensive data security program;
  • gain a Payment Card Industry Data Security Standard evaluation and engage in yearly assessment of the handling of customer payment card information; and
  • agree to 20 years of FTC auditing of compliance with the settlement agreement requirements.

“What’s disheartening to some watching the case is that the FTC hasn’t backed down from requirement that there be a monitoring over 20 years. Many people believe it’s too long and unreasonable,” Freedman said.

FTC Chairwoman Edith Ramirez said in a statement that the “settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security. Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”