On December 9, 2015, the FTC announced that it and Wyndham Hotels had settled their long-running dispute that led to an opinion from the Third Circuit Court of Appeals confirming the FTC’s authority to regulate cybersecurity.
The gist of the settlement is that, for the next 20 years, Wyndham must do the following:
- obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program;
- certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;
- certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
- certify that the auditor is qualified, independent and free from conflicts of interest;
- in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, it must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.
