Wyndham Worldwide this week agreed to settle charges with the Federal Trade Commission that the company’s security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.

As Compliance Week previously reported, U.S. District Court Judge Esther Salas of the District of New Jersey ruled last year that the FTC could move forward with its lawsuit against Wyndham Worldwide over allegations that the global hospitality company’s data security practices violated Section 5 of the FTC Act, which bars unfair and deceptive acts and practices.

The FTC first filed the complaint against Wyndham in 2012 over allegations that Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information. The FTC further alleged in its complaint that Wyndham’s failure to remedy known security vulnerabilities, and failure to employ reasonable measures to detect unauthorized access, led to three data breaches at Wyndham hotels in less than two years.

Under the terms of the settlement, the company will establish a comprehensive information security program designed to protect cardholder data, including payment card numbers, names and expiration dates. In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.

The proposed stipulated federal court order requires Wyndham Worldwide to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program.  

In addition, the order requires Wyndham’s audit to:

Certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;

Certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and

Certify that the auditor is qualified, independent, and free from conflicts of interest.

The order also requires that, in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, it must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.

The order provides that if Wyndham successfully obtains the necessary compliance certifications, it will be deemed in compliance with the comprehensive information security program provision of the order. “That provision is not effective, however, in the event that Wyndham in any way misleads or provides false information during the annual audit and assessment process,” the FTC said.

On Dec. 9, the FTC voted 4-0 to approve the proposed stipulated order, which must be approved and signed by the judge. Wyndham’s obligations under the settlement are in place for 20 years.