The Federal Trade Commission (FTC) finalized an order against Marriott International and its subsidiary, Starwood Hotels, mandating comprehensive improvements to their digital security practices. This action follows a series of three significant data breaches between 2015 and 2020, impacting over 344 million customers globally. These breaches exposed sensitive personal information, including passport details, payment card data, and other confidential information. The FTC’s order underscores the severity of Marriott’s lax security practices, which allowed unauthorized access to persist for extended periods, ranging from 14 months to a staggering four years in the case of the 2018 breach. This order marks a significant step in holding corporations accountable for safeguarding customer data and highlights the growing concern over cybersecurity vulnerabilities in the hospitality industry.
The FTC’s order compels Marriott and Starwood to implement robust security programs encompassing a range of critical measures. One key aspect is the implementation of data retention policies that limit the storage of personal information only to the extent necessary for legitimate business purposes. This addresses the prevalent issue of organizations retaining data longer than required, increasing the risk of exposure in the event of a breach. Furthermore, the order mandates that Marriott and Starwood provide US customers with a readily accessible mechanism for requesting the deletion of their personal information associated with their email addresses or loyalty accounts. This empowers customers to exert greater control over their data and aligns with the growing emphasis on data privacy rights. These measures, along with others outlined in the order, aim to prevent future breaches and enhance Marriott’s overall security posture.
The hospitality industry, including hotel chains like Marriott, has become a prime target for cyberattacks. The interconnected nature of their systems, the vast amounts of sensitive customer data they hold, and the potential financial gains for attackers make them attractive targets. A notable example of this vulnerability occurred last year when a ransomware attack crippled MGM Resorts, forcing them to revert to manual check-in processes using pen and paper, impacting guests including FTC Chair Lina Khan. This incident highlighted the disruptive potential of cyberattacks and the need for enhanced security measures across the industry. The FTC’s action against Marriott serves as a wake-up call for other hotel chains to prioritize cybersecurity and protect customer data from increasingly sophisticated threats.
The FTC’s charges against Marriott and Starwood, announced in October, alleged that the companies had misled consumers by falsely claiming to maintain “reasonable and appropriate data security.” The FTC’s investigation revealed a series of security failures, including inadequate password and firewall practices, failure to patch outdated software and systems, and a general lack of diligence in safeguarding customer data. These failures contributed to the severity and duration of the data breaches, exposing millions of customers to potential identity theft and other forms of harm. Concurrently with the FTC’s charges, the Connecticut Attorney General’s office announced a $52 million settlement with Marriott, further underscoring the seriousness of the security lapses. This combined action demonstrates the growing regulatory scrutiny of data security practices and the willingness of authorities to hold companies accountable for failures to protect consumer information.
The FTC’s order extends beyond immediate security improvements, imposing significant restrictions on Marriott and Starwood’s future conduct. The companies are now prohibited from misrepresenting their data collection, maintenance, use, deletion, and disclosure practices. They are also barred from making misleading claims about the extent to which they protect the privacy, security, availability, confidentiality, and integrity of personal information. This aims to prevent future deceptive practices and ensure transparency in their communication with customers regarding data security. Furthermore, the order mandates that Marriott and Starwood maintain comprehensive compliance records and submit to regular FTC inspections. This ongoing oversight will ensure their adherence to the order’s requirements and promote a culture of accountability within the organization.
The FTC’s order against Marriott and Starwood is a landmark decision with far-reaching implications for the hospitality industry and data security practices more broadly. The 20-year duration of the order underscores the seriousness of the breaches and the FTC’s commitment to ensuring long-term compliance. The order serves as a strong deterrent against lax security practices and emphasizes the importance of proactive measures to protect customer data. It also reinforces the growing trend of regulatory action against companies that fail to meet their data security obligations. This case sets a precedent for future enforcement actions and highlights the increasing legal and financial risks associated with inadequate cybersecurity practices. The order compels Marriott and Starwood to implement fundamental changes to their security posture, promoting a more secure environment for their customers and setting a higher standard for data protection within the industry.
