FTC and Wyndham end hotel data protection feud

Hotel chain Wyndham Resorts has agreed to settle its long-running case with the FTC over its handling of customer data.

The US trade bod said on Wednesday it has agreed to a settlement deal [PDF] that will see Wyndham spend the next two decades under mandatory rules for securing and storing customer payment card information.

The deal settles a long-running case in which the FTC has accused Wyndham of failing to properly secure payment card information in the face of repeated data breaches and the loss of customer information.

The FTC first filed suit in 2012, alleging that the company's lax security practices constituted a violation of the FTC Act and thus could be prosecuted by the trade commission. Wyndham appealed the decision, claiming the FTC had no authority to challenge its data security policies.

Earlier this year, a US Court of Appeals found in favor of the FTC and upheld the Commission's standing to file complaint against companies who fail to maintain adequate security.

"This settlement marks the end of a significant case in the FTC's efforts to protect consumers from the harm caused by unreasonable data security," FTC chairwoman Edith Ramirez said of the deal.

"Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area."

With the settlement, Wyndham not only drops its appeal to the FTC, but also agrees to a set of security requirements that will run for the next 20 years.

During that time, the resort chain will be subject to annual security audits to check compliance with PCI-DSS security requirements on all customer payment card data. Additionally, Wyndham will need to maintain secured connections between its hotels and corporate offices when customer information is transmitted.

No cash penalties were mentioned in the settlement, though further complaints and fines could be issued should Wyndham fail to uphold its end of the settlement deal. ®