On December 9, the FTC announced a settlement with a leading United States-based hotel and resort chain to resolve charges that the company’s data security practices were unfair and deceptive under Section 5 of the FTC Act. The settlement follows the Third Circuit’s August 24 ruling affirming the FTC’s authority to take action against companies with deficient cybersecurity practices that fail to protect consumer data against hackers. The settlement terms require the company for the next 20 years to establish, implement, and maintain a comprehensive information security program that is designed to protect the security, confidentiality, and integrity of cardholder data. In addition, the company must obtain annual written assessments of its information security program. The assessments must certify (i) the “untrusted” status of franchisee networks that may store, process, or transmit cardholder data; (ii) the extent of the company’s compliance with the risk management protocol; and (iii) that the assessments were completed by a qualified and independent auditor free from any conflicts of interest. The settlement also requires that in the event of another data breach affecting more than 10,000 consumers, the company must obtain an assessment of the breach within 180 days and report the findings of the assessment to the FTC within 10 days of its completion.