By Mark Sanborn
Senior Product and Regulatory Counsel
On October 9, 2024, the FTC announced a settlement with Marriott International, Inc. and its subsidiary, Starwood Hotels & Resorts Worldwide LLC (“Marriott”), related to three data breaches from 2014 to 2020. One breach involved unauthorized access to Marriott’s systems over multiple years, and in total, the three breaches compromised the personal data of over 339 million consumers. The FTC settlement imposes a 20-year consent order but no monetary penalty because the FTC lacks the authority to seek a penalty in this instance. However, alongside this FTC settlement, Marriott reached a separate $52 million settlement with 49 state attorneys general and the District of Columbia following their investigation into the breaches.
As part of the state settlement, Marriott agreed to pay a $52 million penalty and implement several cybersecurity measures. These include a comprehensive information security program based on zero-trust principles, enhanced employee training, data minimization, and stricter access controls. Marriott must also improve its vendor oversight, particularly regarding IT risks, assess security gaps during mergers and acquisitions, and submit to independent cybersecurity assessments every two years for the next 20 years. The settlement also requires added consumer protections like multi-factor authentication for loyalty accounts and options for data deletion, even in states without such deletion requirements.
The FTC settlement includes a 20-year consent order that adds further cybersecurity obligations, such as regular risk assessments, encryption of sensitive data, incident response plans, and annual reports on data security issues. Marriott must also designate a senior employee to oversee compliance and provide ongoing cooperation with the FTC.
Marriott still faces a consumer class action lawsuit, alongside its security vendor, Accenture. The lawsuit seeks damages on behalf of an initial group of 44 million consumers from 6 states, alleging that Marriott and Accenture failed to adequately protect sensitive information, including payment and passport details. The plaintiffs seek damages related to overpayment for hotel rooms, as well as damages for the inherent value of their personal information stolen during the breach
While many of the requirements Marriott agreed to mirror those under the FTC Safeguards Rule, this case was pursued under the FTC’s Section 5 authority, which targets unfair and deceptive practices. The FTC alleged that Marriott misrepresented its data protection measures, and information security practices, which allegedly constituted a violation of Section 5 of the FTC Act. The settlement underscores the FTC’s aggressive posture relating to data security incidents, even in cases where specific statutory safeguards do not apply.
The Marriott settlement demonstrates the FTC’s growing focus on cybersecurity enforcement and its willingness to leverage Section 5 authority to address inadequate data protection practices. It also sends a clear message to companies that cybersecurity failures can lead to significant legal and financial consequences, underscoring the importance of comprehensive security measures.
ComplyAuto Privacy customers are protected by the industry’s most popular GLBA Safeguards compliance package that includes vendor risk assessments, information security audits, employee training, an information security program (ISP), full internal & external penetration tests, secure file transfer, and more to help reduce your chances of a data breach, ransomware attack, or FTC enforcement action.
All backed by a $1 million regulatory compliance guarantee.
ComplyAuto is the also the only dealership compliance partner that also offers a full suite of enterprise-level data security tools including Data Loss Prevention, full email security, MFA and encryption tools, end-point detection and response, and a real penetration test.