Marriott’s FTC Settlement: Key Business Implications Explained by McCarron, Kama

19 Oct 2024

 

Marriott International, Inc., renowned for its values of putting people first, pursuing excellence, acting with integrity, and serving the world, now faces scrutiny over its data security practices. The Federal Trade Commission (FTC), alongside Attorneys General from 49 states and Washington, D.C., have highlighted data breaches involving Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide, LLC. These breaches, occurring between 2014 and 2020, have exposed millions of sensitive customer records.

According to the FTC’s complaint, bad actors exploited weak security systems in two separate incidents between 2014 and 2018, resulting in the theft of 339 million consumer records from Starwood, including passport numbers, payment card details, and loyalty information. In 2020, a similar breach occurred on Marriott’s network, with intruders stealing 5.2 million guest records. The stolen data could have been used to conduct targeted phishing attacks, raising serious concerns about data privacy.

To resolve the case, Marriott and Starwood have agreed to implement stronger data protection processes, aimed at preventing future breaches. This includes measures to detect and address security issues promptly. Marriott also agreed to pay $52 million as part of settlements with state authorities.

Key lessons for businesses include:

1. Check security practices during acquisitions: Marriott’s failure to secure Starwood’s system post-acquisition highlights the importance of thoroughly assessing the security vulnerabilities of newly acquired companies.
2. Use a multi-layered approach to data security: Conduct risk assessments and implement controls like employee training, software updates, and access management.
3. Limit data collection and retention: Collect only the data you need and give customers the option to delete personal information.
4. Ensure vendor oversight: Choose vendors with strong data security practices and monitor their compliance.
5. Monitor franchisee relationships: Establish contracts that include data security requirements and conduct regular audits.

These lessons underscore the importance of proactive data security measures for all businesses.
 

 

Interview