Privacy & Information Security Law Blog

On October 9, 2024, both the Federal Trade Commission and a coalition of 50 state attorneys general (“the state AGs”) issued announcements that they had reached settlement agreements with Marriott International, Inc. (“Marriott”) and its subsidiary Starwood Hotels & Resorts Worldwide LLC (“Starwood”) over a multi-year series of data breaches. The FTC and state AGs launched parallel investigations into Marriott and Starwood in connection with multiple breaches of a guest reservation database that impacted hundreds of millions of individuals.

According to the state AGs and the FTC, Starwood’s and Marriott’s security failures led to multiple significant data breaches between 2014 and 2020. The FTC’s proposed complaint, alleges that such failures included inappropriate or inadequate password, access, or firewall controls, network segmentation, patching, logging, or use of multifactor authentication. Marriott acquired Starwood in 2016, making it the largest hotel chain in the world. The first Starwood breach began in June 2014 and went undetected for months. Consumers were notified of this breach in 2015, four days after Marriott announced the Starwood acquisition. The second Starwood breach began in July 2014 and was not detected until September 2018. The third breach, which impacted Marriott’s network, began in September 2018 and went undetected until February 2020. The breaches impacted more than 344 million guest records, including data from millions of Americans. The records impacted included passport numbers, names, mailing addresses, birth dates, loyalty account information, preferences, payment card data and more.

The FTC’s proposed settlement order with Marriott and Starwood relates to alleged security failures in violation of Section 5(a) of the FTC Act. The proposed order prohibits the entities from making misrepresentations about privacy and security and requires both entities to:

• Implement a data minimization policy and document their justifications for retaining data.
• Implement a comprehensive information security program and certify compliance to the FTC annually for 20 years.
• Obtain an independent, third-party assessment of the information security program every two years.
• Provide their U.S. customers with a way to request the deletion of personal information associated with their email address or loyalty rewards number.

The companies will have various related notification and recordkeeping obligations. Marriot also will be required to provide customers redress for stolen loyalty points. The FTC noted that it does not have authority to impose civil penalties in the case.

The state AG settlement addresses allegations related to state consumer protection, personal information protection and breach notification laws. Under the settlement, Marriott is required to make a $52 million payment to the states, implement certain customer protections such as data deletion, and strengthen its data security practices by adopting a “risk-based” approach to cybersecurity. Measures include ongoing risk assessments, specific security controls, increased vendor and franchisee oversight, and improved diligence in relation to future acquisitions. Consistent with the FTC order, the state AG settlement also requires the entities to implement a comprehensive information security program and related assessments. Both settlements set out detailed obligations for the information security program. Attorneys general from the District of Columbia and all states but California joined the coalition.

The FTC and state AG agreements underscore the importance of establishing a robust, ongoing risk assessment program and indicate an increased regulatory focus on data retention and minimization measures.