Wyndham, FTC Settle Data Breach Charges

In the latest news tied to cybercrime and settlements, Wyndham Worldwide Corp. will settle charges by the U.S. Federal Trade Commission that the company did not adequately safeguard information, as part of a case that bundled grievances of more than 619,000 customers hit by three separate data breaches.

Reuters noted that the settlement still needs court approval and that it centers on a court order that was filed in Newark, New Jersey, an order handed down three months after the Pennsylvania Court of Appeals ruled that the FTC does indeed have the right to oversee corporate cybersecurity.

The order dictates that the company must set up an information security program that aims to protect names, expiration dates and payment card numbers.

There were no fines and the company is not required to admit any wrongdoing, but the firm’s obligation to fulfill those orders will last for 20 years.

The case brought by the FTC stems from attacks in 2008 and 2009 where hackers stole credit card information and other data, ultimately racking up as much as $10.6 million in fraudulent charges. Yet, Wyndham has said that the breaches did not result in financial losses for customers.

In a statement from Scott McLester, the firm’s general counsel, the FTC order is noteworthy because, among other things, it shows that the FTC has now published its expectations on how companies must act.

The FTC based its determination to pursue the case on a 101-year-old law that charges the agency with protecting the general public from unfair or deceptive lenders.

“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” a statement from Edith Ramirez, FTC chairwoman, said. “The court rulings in the case have affirmed the vital role the FTC plays in this important area.”