• by Wendy Davis  @wendyndavis, December 9, 2015

Wyndham Hotels and Resorts has agreed to establish a cybersecurity program designed to protect credit card data, in order to resolve a high-profile battle with the Federal Trade Commission.

The proposed settlement, unveiled Wednesday, also requires Wyndham to conduct annual security audits for the next 20 years. If approved by a judge, the deal will resolve FTC allegations that Wyndham's security practices were so deficient that they were "unfair" to consumers.

"This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” FTC Chairwoman Edith Ramirez said Wednesday in a statement.

The battle between the FTC and Wyndham stems from three separate data breaches suffered by Wyndham between 2008 and 2010. The FTC sued the hotel chain in June 2012, charging it with failing to take reasonable security measures. Among other practices, Wyndham allegedly stored credit card information in clear readable text, used "easily guessed" passwords and failed to use firewalls.

News of the settlement comes several months after a federal appellate court ruled that the FTC could proceed with its case. A three-judge panel of the 3rd Circuit Court of Appeals rejected Wyndham's argument that the agency's lawsuit reflected an attempt to impose security requirements retroactively.

"Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required," the panel wrote. "Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute."

Gregory Boyd, a partner with the law firm Frankfurt Kurnit Klein & Selz, said at the time that the decision endorsed the concept that the FTC has broad authority to regulate privacy, even in the absence of specific data-protection guidelines.