What We Can Learn From the FTC Settlement with Marriott International, Inc.

Background:

Marriott International and its subsidiary Starwood suffered a series of data breaches that ultimately exposed the personal data of 344 million consumers. These events spanned from November 2015 to September 2018. On October 9^th, 2024, the FTC announced a settlement with Marriot International regarding the alleged violations to Section 5(a) of the Federal Trade Commission Act.

What we can learn:

The FTC, which has regulatory authority to enforce the safeguard rules, holds regulated entities accountable to basic best practices, such as password management, access control, timely software patching, network monitoring, firewalls and anti-malware and multi-factor authentication. The A2Safe Hub helps you to implement, manage and maintain everything consumers and regulators expect your business to have in place to help protect their personal information.

FTC Findings:

The FTC held that Marriott failed to provide reasonable or appropriate security for the personal information they collected and maintained about consumers, outlining that Marriott failed to:

• Implement appropriate password controls;
• Patch outdated software and systems in a timely manner;
• Adequately monitor and log network environments;
• Implement appropriate access controls;
• Implement appropriate firewall controls;
• Implement appropriate network segmentation; and
• Apply adequate multifactor authentication to protect sensitive information.

Results:

In light of the findings, the FTC’s proposed order prohibits Marriott from misrepresenting:

• How they collect, maintain, use, delete, or disclose consumers’ personal information; and
• The extent to which they protect the privacy, security, availability, confidentiality, or integrity of personal information.

The proposed order also requires Marriott to:

• Establish, implement, and maintain a comprehensive information security program that protects the security, confidentiality, and integrity of personal information, including:
  • The designation of a responsible employee;
  • Multi-factor authentication; and
  • Data access controls for Marriott employees and IT vendors;
• Submit incident reports to relevant authorities within 10 days of notification;
• Provide a link for customers to request the deletion of personal information associated with an email address and/or loyalty rewards program account number; and
• Implement a policy to retain personal information only for as long as is reasonably necessary to fulfill the purpose for which it was collected.