Wyndham and FTC settle data breach dispute — Wyndham got 20 years

On December 9, 2015, the FTC announced that it and Wyndham Hotels had settled their long-running dispute that led to an opinion from the Third Circuit Court of Appeals confirming the FTC’s authority to regulate cybersecurity.

The gist of the settlement is that, for the next 20 years, Wyndham must do the following:

  • obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program;
  • certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;
  • certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
  • certify that the auditor is qualified, independent and free from conflicts of interest;
  • in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, it must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.

Read more: Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk | Federal Trade Commission

This site uses Akismet to reduce spam. Learn how your comment data is processed.