Marriott International and its subsidiary, Starwood Hotels & Resorts Worldwide, have reached agreements with the Federal Trade Commission and 49 state attorneys general regarding a massive data breach involving its hotels.
And some observers think the deal could be a sign of an emerging trend.
Under the agreement, the hotel operator will pay $52 million without admitting liability for the underlying allegations.
The complaints said multiple data breaches occurred between 2014 and 2020, impacting more than 344 million customers globally.
As part of the settlement with the FTC, Marriott and Starwood must implement a comprehensive information security program designed to enhance data protection across their hotel networks worldwide.
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
‘States Are Becoming Much More Aggressive’
Kelley Kronenberg partner Timothy Shields points out that this development highlights government efforts to combat data breaches.
Kelley Kronenberg partner Timothy Shields. Courtesy photo
“Individual states are becoming much more aggressive in addressing data privacy concerns absent a federal consumer data privacy law,” Shields said.
While not involved in the FTC action, the Broward attorney’s practice focuses on technology and intellectual property, including copyright, trademark, the digital economy, data privacy and data breach response.
“I see this trend continuing over the next several years,” Shields said. “The agreement with the FTC outlines several cybersecurity steps for Marriott, which really are just standard best practices any organization should already be doing themselves or in partnership with a cybersecurity professional.”
When contacted, Marriott said as part of the resolutions with the FTC and the state attorneys general, it will continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress.
“For example, Marriott is offering U.S. customers a process to request deletion of their personal information, offering an online portal for Marriott Bonvoy® members to report potentially suspicious loyalty account activity, and implementing a multi-factor authentication option for Marriott Bonvoy® accounts,” the company statement read.
Marriott and Starwood also agreed to provide all its U.S. customers with a way to delete personal information associated with their email address or loyalty rewards account number.
In addition, the proposed settlement requires Marriott to review loyalty rewards accounts on customer request and restore stolen loyalty points.
Federal Trade Commission building. Photo by Diego M. Radzinschi/ALM
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
The FTC and the states worked in parallel on the investigation.
According to the FTC, it does not have legal authority to obtain civil penalties in this case.
“Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats,” Marriott said.
Shields, the data privacy lawyer, suggests there is a valuable lesson to be learned from this government action.
“Individuals need to be much more cautious in how they share their information,” Shield said. “It will get leaked. Treat your data like you would treat your money. Your personal data is just like currency—take the same precautions.”
The FTC’s proposed consent agreement will be open for public comment before it becomes final. After that, Marriott must comply with the order for 20 years, with third-party assessments every two years.