Skip to content

Cybersecurity Compliance

Hoteliers Must Implement Comprehensive Security and Privacy Measures to Settle FTC Charges

Why This Alert Is Important

The FTC's action against Marriott and Starwood underscores the importance of robust data security and consumer privacy protection, as these companies are now mandated to overhaul their information security practices. 

Overview of the Incidents

The Federal Trade Commission (FTC) has mandated Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a robust information security program in response to three large-scale data breaches that occurred between 2014 and 2020. These breaches collectively impacted more than 344 million customers globally, exposing sensitive personal information such as passport details, payment card numbers, and loyalty program information. 

The crux of the FTC's complaint highlights that, despite portraying themselves as upholding reasonable data security measures, Marriott and Starwood's security practices were severely lacking. The companies failed to implement necessary security protocols, such as effective password controls and multifactor authentication, and did not adequately monitor their network environments. Consequently, this negligence facilitated the three data breaches. The first breach in 2014 affected over 40,000 Starwood customers, while the second breach, which persisted until 2018, compromised 339 million guest records worldwide. The third breach, undetected until early 2020, exposed data from 5.2 million guests, including a significant portion of American customers. 

What the Settlement Requires

In addition to a $52 million penalty that Marriott will pay to 49 states and the District of Columbia, a $52 million penalty that Marriott will pay to 49 states and the District of Columbia, Marriott and Starwood face a series of stringent requirements aimed at fortifying consumer data protection. 

  • Prohibition of Misrepresenting Policies: The companies are prohibited from misrepresenting their methods of collecting, handling, and disposing of consumer personal information, as well as overstating their privacy and security measures. 
  • Data Minimization: The companies must implement a Data Minimization policy, which obligates them to retain personal data only as long as necessary for its intended purpose, and clearly communicate the purpose and business need for retaining it. 
  • Comprehensive Information Security Program: Marriott and Starwood must certify compliance with the program to the FTC annually for two decades, supported by biennial independent assessments. 
  • Data Subject Requests: Marriott and Starwood must offer a simple means for customers to request the deletion of personal data linked to an email address or loyalty program account number.

To the untrained eye, this case may seem like a cybersecurity-based Consent Agreement between the FTC and the Marriott and Starwood organizations. But paragraph D mentions PII at risk that could result from 1) unauthorized collection, maintenance, alteration, destruction, use, or disclosure of, or provision of access to, Personal Information; or the (2) misuse, loss, theft, or other compromise of such Personal Information. It requires risk assessments and assigning safeguards based on the volume and sensitivity of the PII and the likelihood of its unauthorized disclosure, misuse, or loss. 

These requirements are very familiar to organizations who have been involved with the implementation of GDPR, under the strictest privacy laws in the world, and should be interpreted as an expectation for protection of the PII lifecycle inside the IT systems as well as when leaving the organization to be shared with third parties. Without so many words, the FTC is expecting a privacy mandate to be put in place surrounding the protection of PII. For such mature organizations, Marriott and Starwood had failed to implement privacy and security programs commensurate with the volume and sensitivity of the PII they held.

Amalia Barthel, CIPM, CIPT, University of Toronto

Data Privacy Tip

A solid data minimization program starts with an understanding of what data your organization holds and where it resides. Learn how Data Discovery can help you achieve multiple benefits including implementing a data minimization program in this infographic.

Ready to Get Started?

Get an Exterro data risk management platform demo today.

Get a Demo