On October 9, 2024, the Federal Trade Commission (FTC) and state attorneys general (AGs) from 49 states and the District of Columbia announced a pair of parallel settlements with Marriott International Inc., resolving liability for a series of three data breaches from 2014 to 2020 involving 344 million customers worldwide. The settlements highlighted the importance of updating and testing information security programs to address vulnerabilities and improve response plans for security incidents.
The FTC’s administrative complaint detailed how Marriott and Starwood Hotels & Resorts Worldwide LLC, acquired by Marriott in 2016, failed to implement proper data security practices, leading to the breaches. The FTC complaint emphasized Marriott’s responsibility for Starwood’s security environment due to the acquisition process and the failure to detect security incidents. These incidents included breaches in 2014 and 2018 that compromised customer payment card information, guest account records, and passport numbers.
As part of the settlements, consumers can request reviews of unauthorized activity in their accounts and have stolen loyalty points restored. Marriott and Starwood are required to implement written-information security programs, conduct annual testing and monitoring, and undergo biennial security assessments for 20 years. The settlements also mandate increased oversight over vendors and franchisees, prohibiting misrepresentations about privacy and security practices.
In addition to the FTC settlement, state AGs reached a $52 million settlement with Marriott for the same breaches. The AGs’ settlement included requirements similar to the FTC’s, with a focus on conducting risk assessments for critical IT vendors. The settlements underscored the limitations on the FTC’s ability to impose civil penalties for data security violations, leading to increased collaboration with state AGs to address monetary penalties.
Companies can draw several key takeaways from these settlements, including the need to evaluate potential liability for pre-acquisition security incidents, maintain comprehensive written-information security programs, and enhance incident detection and response procedures. The FTC’s emphasis on timely incident reporting and response highlights the importance of proactive security measures to protect consumer data and mitigate risks associated with data breaches. By learning from these settlements, companies can strengthen their data security practices and better protect customer information in an evolving threat landscape.
