U.S. Privacy and Data Protection | Insights | Nov. 2024 (Federal Law)

FTC Brings Enforcement Action Against Hotel Chain

After experiencing multiple large-scale data breaches, Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC have agreed to a significant settlement with the Federal Trade Commission (FTC) and 49 state attorneys general. The hotel giants are also required to implement a comprehensive information security program to address the fallout from three major data breaches that occurred between 2014 and 2020.

The FTC's complaint outlines a series of security failures that led to the following three significant data breaches:

• June 2014 - November 2015: Over 40,000 Starwood customers had their payment card information compromised. The breach remained undetected for 14 months.
• July 2014 - September 2018: The largest breach of the three, affecting 339 million Starwood guest account records worldwide, including 5.25 million stolen unencrypted passport numbers. While this breach occurred before Marriott acquired Starwood in 2016, it went unnoticed for another two years post-merger.
• September 2018 - February 2020: Marriott's own network was breached, impacting 5.2 million guest records globally, including 1.8 million Americans.

The FTC alleges that Marriott and Starwood did not offer adequate data security and these breaches were possible due to:

• Lack of complex password controls;
• Insufficient firewall controls;
• Unsecured network segmentation into sub-networks;
• Failure to update outdated software and systems;
• Inadequately supervise and document network environments; and
• Not prioritize multi-factor authentication implementation.

The settlement includes both financial penalties as well as stringent security requirements including:

• Payment of a $52 million penalty to be distributed across participating states.
• Establishment of a robust information security program to prevent future breaches and protect customer data more effectively.
• Enactment of additional Customer Rights and Protections, including:

Data Deletion Requests: U.S. customers will now have the ability to request the deletion of personal information associated with their email addresses or loyalty rewards account numbers.

Loyalty Points Restoration: Marriott has agreed to review loyalty rewards accounts upon customer request and restore any stolen loyalty points.

• Implementation of data minimization policies to ensure personal information is retained for only as long as reasonably necessary to fulfill the purpose for which it was collected.
• Mandatory annual testing and monitoring of Marriott and Starwood’s security safeguards.
• Biennial third-party information security assessments for 20 years.
• Mandatory annual compliance certification by Marriott’s CEO.

Key Takeaways

• Due Diligence is Crucial: The FTC's stance makes it clear that acquiring companies may be held liable for the pre-acquisition security practices of their merged counterpart. This emphasizes the need for thorough cybersecurity assessments during mergers and acquisitions.
• Comprehensive Security Programs are Non-Negotiable: The settlement reinforces the importance of having a robust, written information security program supported by regular risk assessments and routinely monitoring for updates.
• Incident Response Must Be Swift and Effective: The extended periods of undetected breaches factored into the severity of the settlement. Companies must prioritize rapid detection, escalation, and response to security incidents.
• Regulatory Landscape is Evolving: While the FTC's ability to impose monetary penalties is limited, its partnership with state attorneys general demonstrates a trend towards more comprehensive enforcement actions.

Samuel Levine, Director of the FTC's Bureau of Consumer Protection, emphasized the importance of this action: "Marriott's poor security practices led to multiple breaches affecting hundreds of millions of customers. The FTC's action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe."¹

Conclusion

This settlement serves as a wake-up call for the hospitality industry and other businesses handling large volumes of customer data, especially during mergers. It underscores the importance of implementing robust data security measures and the potential consequences of failing to do so.

The FTC's action against Marriott and Starwood sets a precedent for how data breaches and security failures will be addressed in the future, potentially leading to more comprehensive data protection regulations across industries.

Kronenberger Rosenfeld, LLP regularly advises clients regarding data and privacy compliance. Contact our firm using our online case submission form.