Wyndham Hotels and Resorts has agreed to settle the FTC’s charges that its corporate data security practices were deficient under the unfairness prong of Section 5 of the FTC Act. Assuming the district court approves the proposed stipulated consent order, this concludes the litigation between Wyndham and the FTC. Under the terms of the twenty-year consent order, Wyndham must develop a comprehensive data security program designed to reasonably protect cardholder data and conduct annual data security audits. In addition, for any data breach affecting more than 10,000 credit card numbers, Wyndham must obtain an assessment of the breach within 180 days and provide the assessment to the FTC within 10 days of receiving it. Importantly, today’s settlement does not affect the Third Circuit’s decision upholding the FTC’s jurisdiction over corporate data security practices, which stands as the only federal appellate decision on the scope of FTC authority over corporate data security under the unfairness prong.