The FTC has settled a lawsuit with the hotel company Wyndham over a series of data breaches that turned into a major test of the agency's regulatory power. Under the agreement, Wyndham will not have to pay a fine or admit that it broke the law, but will have to institute "a comprehensive information security program" to stop future data breaches.
Wyndham argued the FTC didn't have the regulatory power to police cybersecurity
The agency first sued Wyndham in 2012, saying that lax security standards had paved the way for three data breaches that exposed information on hundreds of thousands of customers. As a countermeasure, Wyndham argued that the FTC didn't have the authority to regulate cybersecurity standards. That claim led to a lengthy court battle, which eventually concluded with an appeals court ruling this year that the FTC did, in fact, have that authority — a decision the FTC will likely point to as it makes similar cases in the future.
Wyndham, however, will only be required to pay its attorney fees under the settlement, rather than a fine for its security practices. Jessica Rich, director of the FTC Bureau of Consumer Protection, said during a media call with reporters that it doesn't currently have the authority to impose civil penalties for cybersecurity issues unless an order is broken.
The company also pointed out that the order "applies only to payment card information," not to other personal information. Under the order, Wyndham will also have to report to an independent auditor for the 20 years that the order is effective. "We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief," the company said in a statement.
Rich said that she is "pleased that this case led to a strong validation" of the agency's practices.