Wyndham Hotels and Resorts has agreed with the U.S. Federal Trade Commission to settle charges that the lodging company's security practices led to the exposure of customer credit-card data. The lodging company was the victim of three separate data breaches since 2008, affecting more than 600,000 customers.
The settlement calls for Wyndham to create a comprehensive information security program to protect cardholder data, including card numbers, names and expiration dates. The hotel company also will need to conduct annual information security audits and will be responsible for maintaining safeguards in its connections to all hotel property servers.
"This settlement marks the end of a significant case in the FTC's efforts to protect consumers from the harm caused by unreasonable data security," said FTC Chairwoman Edith Ramirez. "Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area."
Wyndham did not have to pay a fine nor admit to any wrongdoing, but the company will need to adhere to specific security and auditing standards dictated by the settlement. Additionally, if another breach affecting more than 10,000 payment cards occurs, Wyndham will need to obtain an assessment of the breach and provide that to the FTC within 10 days. The terms of the settlement apply for 20 years.