Skip to main content

Data security watchers read with interest the United States Court of Appeals’ decision earlier this year in FTC v. Wyndham, upholding the FTC’s authority to challenge allegedly lax data security practices under the unfairness prong of the FTC Act. We view that ruling as a milestone victory for consumers and for companies of all sizes that are committed to keeping customers’ personal information secure. Now there’s another big development in the FTC’s law enforcement action against Wyndham and you’ll want to be among the first to know.

Just to recap, the FTC sued Wyndham and three subsidiaries in 2012, alleging that data security failures led to three breaches in less than two years. According to the complaint, hackers infiltrated the network of a Wyndham franchisee and then exploited lax security on Wyndham’s corporate network to grab sensitive consumer data from dozens of other Wyndham franchisees. Those breaches resulted in the transfer of account data about hundreds of thousands of consumers to a website registered in Russia – and millions of dollars of fraudulent charges on consumers’ credit and debit cards. The district court ruled that the FTC had the authority to challenge Wyndham’s conduct under the FTC Act. The Third Circuit heard an immediate appeal of that legal issue and ruled in the FTC’s favor

Today, the FTC and Wyndham announced a proposed settlement in the case. You’ll want to read the order for the details, but check out these provisions of note.

Under Part I of the proposed Order, the company must establish a comprehensive information security program to protect cardholder data, including payment card numbers, names and expiration dates, and must conduct related annual information security audits every year for the next 20 years.

Furthermore, the Order requires Wyndham to specifically consider risks arising from network connections between Wyndham-branded hotels and the corporate data center. The FTC sees that as an essential provision because the breaches alleged in the complaint arose from weaknesses in those connections.

Part II of the Order requires Wyndham to get an annual independent assessment under the Payment Card Industry Data Security Standard – most businesses know it as PCI DSS – an industry standard for entities that accept credit cards. But it doesn’t end there. Part II includes additional provisions to beef up what’s required under the PCI DSS. These additional provisions include requiring an independent third-party auditor to certify that:

  • Wyndham safeguards the connections with its franchisee hotels;
  • Wyndham engages in a comprehensive risk assessment as laid out in the PCI-DSS risk assessment guidelines; and
  • The auditor is truly independent from Wyndham.

If the independent assessment required by Part II establishes that Wyndham is in full compliance, the FTC will consider it to be in compliance with the comprehensive information security program required by Part I also. All bets are off, however, if Wyndham in any way deceives the auditor or significantly changes the system after the audit.

What’s the legacy of FTC v. Wyndham?  First, the Court of Appeals’ decision affirms the FTC’s use of Section 5 to challenge unreasonable data security practices.  Second, the lessons of this case – and the FTC’s 50+ other data security settlements – offer guidance to other businesses about building sensible security into your day-to-day operations.

The FTC has free resources to help companies start with security.



It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Get Business Blog updates