On December 9, 2015, Wyndham Worldwide Corporation, and related companies (collectively, “Wyndham”), reached a settlement with the US Federal Trade Commission (FTC) to resolve claims arising from three data breaches that the hotel chain suffered over several years. Wyndham did not admit to the FTC’s allegations of deceptive and unfair practices, but agreed to meet a variety of data security and reporting requirements during the 20-year term of the consent order. Approved by the district court two days later, the consent order provides significant guidance regarding the FTC’s views on appropriate cybersecurity measures for companies that handle payment card information, including those built around a franchise model.
