This week, Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC (collectively, Marriott) agreed to settle on the terms of a settlement order with the Federal Trade Commission (FTC) for its alleged failures to implement reasonable security measures which in turn led to three data breaches between 2014 and 2020, affecting over 344 million consumers across the globe. The type of data affected included names, passport information, payment card numbers, loyalty numbers, dates of birth, email addresses, and other types of personal information. Specifically, the FTC alleged that Marriott failed to implement appropriate password controls, access controls, firewall controls, or network segmentation; patch outdated software and systems; adequately log and monitor network environments; or deploy adequate multifactor authentication.
Pursuant to the Order, Marriott will:
- Provide all U.S. consumers with a means to request deletion of their personal information;
- Allow all U.S. consumers to review loyalty rewards accounts upon request and reinstate loyalty points if such points were stolen as a result of the breach(es);
- Clearly and transparently disclose to consumers how Marriott collects, maintains, uses, deletes, and discloses consumers’ personal information;
- Minimize the retention of personal information only for as long as such information is needed to fulfill the purpose for which it was collected;
- Implement and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years; and,
- Undergo an independent, third-party security risk assessment every two years;
The FTC does not have legal authority to require Marriott to pay civil penalties in this matter. Additionally, this week, Marriott agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security allegations made by state regulators.
[View source.]
