The Federal Trade Commission has settled a lawsuit accusing hotel group Wyndham Worldwide Corp of failing to properly safeguard customer information, in a case arising from three data breaches affecting more than 619,000 customers.
The consent order on Wednesday was filed with the federal court in Newark, New Jersey, 3-1/2 months after a federal appeals court in Philadelphia said the FTC had authority to regulate corporate cyber security.
The case was considered a test of FTC power to fill the void from Congress's failure to adopt wide-ranging legislation on data security.
Wyndham's brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge, as well as Wyndham. The FTC wanted to hold Wyndham accountable for breaches in 2008 and 2009 in which hackers broke into its computer system and stole credit card and other details from customers, leading to over $10.6 million in fraudulent charges.
Scott McLester, Wyndham's general counsel, said the FTC order is the first to establish standards for data security, with regard to protecting payment card information.
"It should send a message of comfort to the business community and consumers that the FTC has now published its expectations for what companies must do," he said in an interview.
Under the order, Wyndham will establish a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates.
The Parsippany, New Jersey-based company was not required to admit wrongdoing or pay a fine, but will comply with a widely used industry standard to protect the safety of payment card information. Its obligations under the consent order last for 20 years.
"This settlement marks the end of a significant case in the FTC's efforts to protect consumers from the harm caused by unreasonable data security," FTC Chairwoman Edith Ramirez said in a statement. "The court rulings in the case have affirmed the vital role the FTC plays in this important area."
Wyndham said it has no indication that any customers suffered "financial loss" from the attacks.
In letting the FTC pursue its case, the 3rd U.S. Circuit Court of Appeals in Philadelphia cited the agency's broad authority under a 1914 law to protect consumers from unfair and deceptive trade practices.
Security has been a growing concern after breaches such as at retailer Target Corp, infidelity website Ashley Madison, and even U.S. government databases.
Wyndham said "safeguarding personal information remains a top priority" for the company.
The case is Federal Trade Commission v Wyndham Worldwide Corp et al, U.S. District Court, District of New Jersey, No. 13-01887.