Wyndham Worldwide has issued the following statement regarding its settlement with the Federal Trade Commission (“FTC”) resulting from the FTC’s investigation of data breaches that occurred at some Wyndham Hotels and Resorts-brand hotel properties from 2008 to 2010.
“We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief. We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC’s position could have had a negative impact on the franchise business model. This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information. Safeguarding personal information remains a top priority for our company at a time when companies and government agencies are increasingly the targets of cyberattacks.”
Several years ago, Wyndham Hotels and Resorts, LLC was the victim of sophisticated cyberattacks by criminal hackers, who accessed customer information at certain Wyndham Hotels and Resorts-brand hotel properties. The Company promptly alerted law enforcement agencies, retained computer forensic experts, implemented significant security enhancements, and assisted franchised Wyndham Hotels and Resorts-brand hotels in reinforcing their information security. Wyndham also made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services. Importantly, to date Wyndham has not received any indication that any hotel customers experienced financial loss as a result of these attacks. The FTC conducted an investigation of this matter and Wyndham cooperated fully. Following are the key terms of the settlement between Wyndham and the FTC announced today:
- Wyndham will not pay any monetary relief.
- The Company is granted a Safe Harbor if it continues to meet certain requirements for “reasonable information security” outlined in the FTC’s consent order.
- The consent order applies only to payment card information, and does not apply to any other categories of personally identifiable information. Payment Card Industry (“PCI”) certification will satisfy Wyndham’s reporting requirement and provide the basis for the Safe Harbor.
- The duration of Wyndham’s obligations under the consent order will in no event be longer than 20 years, and in several areas will be shorter.