The Federal Trade Commission (FTC) plans to require Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide to implement a comprehensive security program.
This plan is part of a proposed settlement order regarding the FTC’s charges that three large data breaches from 2014 to 2020 resulted from the companies’ failure to implement reasonable data security, the regulator said in a Wednesday (Oct. 9) press release.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in the release. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
Marriott International said in a Wednesday press release that the company makes no admission of liability with respect to the underlying allegations, as indicated in the agreements, and that many of the enhancements to its data privacy and information security programs are already in place or in progress.
“Protecting guests’ personal data remains a top priority for Marriott,” the company said in the release. “These resolutions affirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify and manage risks from evolving cybersecurity threats.”
According to the FTC press release, under the proposed settlement order, Marriott and Starwood will be prohibited from misrepresenting how they handle consumers’ personal information and will be required to retain personal information for only as long as it is needed for the purpose for which it was collected, certify the compliance of their information security program to the FTC for 20 years, enable consumers to request review of unauthorized activity in their Marriott Bonvoy loyalty rewards accounts, and allow customers to request deletion of certain personal information.
A separate settlement order announced Wednesday will require Marriott to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar allegations, per the release.
The data breaches spotlighted by the FTC in the release include one that began in June 2014, went undetected for 14 months and affected 14,000 Starwood customers; another that began around July 2014, went undetected for over four years and saw fraudsters access 339 million Starwood guest account records; and a third data breach that began in September 2018, went undetected until February 2020 and saw fraudsters access 5.2 million Marriott guest records, according to the release.