What We Can Learn From the FTC Settlement with Marriott International, Inc.
October 15, 2024
Background:
Marriott International and its subsidiary Starwood suffered a series of data breaches that ultimately exposed the personal data of 344 million consumers. These events spanned from November 2015 to September 2018. On October 9th, 2024, the FTC announced a settlement with Marriot International regarding the alleged violations to Section 5(a) of the Federal Trade Commission Act.
What we can learn:
The FTC, which has regulatory authority to enforce the safeguard rules, holds regulated entities accountable to basic best practices, such as password management, access control, timely software patching, network monitoring, firewalls and anti-malware and multi-factor authentication. The A2Safe Hub helps you to implement, manage and maintain everything consumers and regulators expect your business to have in place to help protect their personal information.
FTC Findings:
The FTC held that Marriott failed to provide reasonable or appropriate security for the personal information they collected and maintained about consumers, outlining that Marriott failed to:
- Implement appropriate password controls;
- Patch outdated software and systems in a timely manner;
- Adequately monitor and log network environments;
- Implement appropriate access controls;
- Implement appropriate firewall controls;
- Implement appropriate network segmentation; and
- Apply adequate multifactor authentication to protect sensitive information.
Results:
In light of the findings, the FTC’s proposed order prohibits Marriott from misrepresenting:
- How they collect, maintain, use, delete, or disclose consumers’ personal information; and
- The extent to which they protect the privacy, security, availability, confidentiality, or integrity of personal information.
The proposed order also requires Marriott to:
- Establish, implement, and maintain a comprehensive information security program that protects the security, confidentiality, and integrity of personal information, including:
- The designation of a responsible employee;
- Multi-factor authentication; and
- Data access controls for Marriott employees and IT vendors;
- Submit incident reports to relevant authorities within 10 days of notification;
- Provide a link for customers to request the deletion of personal information associated with an email address and/or loyalty rewards program account number; and
- Implement a policy to retain personal information only for as long as is reasonably necessary to fulfill the purpose for which it was collected.
Why A2C?
Compliance is an incredibly complicated topic, but our solution is the opposite of complicated: it’s just simple. We take the complexities of information security compliance and simplify them, so you can know what you need to do, do it efficiently, then get back to doing what you do best. You’ll get everything you need from us, and that’s all – you will not be paying for extras you DON’T need. We know what we’re doing. As you begin your information security compliance journey with A2C, you can rest assured you’ll be headed down the road to compliance.
Let's Talk
Still need help? Let’s talk! You’ll learn how easy our product is to use and scale, and how we can save you time, money, and stress.
Address:
605 North Highway 169, Suite 250
Plymouth, MN 55441
Sales:
[email protected]
Support:
[email protected]