The Federal Trade Commission (FTC) has finalized an order requiring Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide to implement a comprehensive information security program.
This final order settles the FTC’s charges announced in October that the companies deceived customers by claiming to have reasonable data security, when in fact they did not, the FTC said in a Friday (Dec. 20) press release.
The companies suffered three data breaches that affected more than 344 million of their customers worldwide, according to the release.
Reached by PYMNTS, Marriott pointed to an Oct. 9 press release it issued when a proposed settlement order was announced.
In that press release, Marriott said that it made no admission of liability with respect to the underlying allegations and that many of the enhancements to its data privacy and information security programs were already in place or in progress.
“Protecting guests’ personal data remains a top priority for Marriott,” the company said the release. “These resolutions affirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify and manage risks from evolving cybersecurity threats.”
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in the regulatory agency’s own Oct. 9 press release that the proposed settlement order would ensure that Marriott improves its data security practices.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Levine said.
Under the order that was finalized Friday, Marriott and Starwood are required to establish a comprehensive information security program to help safeguard customers’ personal information, retain personal information only as long as is reasonably necessary, and establish a link on their website that allows U.S. customers to request the deletion of personal information associated with their email address or loyalty rewards account number, according to the release.
The companies are also required to review loyalty rewards accounts upon customer request and restore stolen loyalty points. In addition, they are prohibited from misrepresenting how they handle consumers’ personal information and the extent to which the companies protect that personal information.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More