In a settlement with Marriott International and its subsidiary Starwood Hotels and Resorts Worldwide, the Federal Trade Commission (FTC) will require Marriott to implement a new comprehensive data-security program. The settlement stems from a series of data breaches spanning from 2014-2020, in which the FTC alleges bad actors accessed over 339 million consumer records, including […]
In a settlement with Marriott International and its subsidiary Starwood Hotels and Resorts Worldwide, the Federal Trade Commission (FTC) will require Marriott to implement a new comprehensive data-security program. The settlement stems from a series of data breaches spanning from 2014-2020, in which the FTC alleges bad actors accessed over 339 million consumer records, including names, unencrypted passport numbers, and payment-card information. In a separate settlement with attorneys general from 49 states and the District of Columbia, Marriott resolved to pay a $52 million fine related to the breaches.
The first breach
In November 2015, Marriott announced that it would acquire Starwood for $12.2 billion. Four days after the announcement, Starwood notified customers that it had experienced a 14-month long data breach of its computer network, in which malicious actors gained access to payment-card information for more than 40,000 consumers.
The second breach
According to the FTC, Marriott failed to identify an ongoing breach within the Starwood network that continued undetected for nearly two years after the acquisition. Due to this second breach, malicious actors obtained the personal information of 339 million consumer records globally, including more than 5.25 million unencrypted passport numbers.
The third breach
Marriott announced in March 2020 that malicious actors had compromised the credentials of employees at a Marriott-franchised property to gain access to Marriott’s own network. These intruders accessed more than 5.2 million guest records, including 1.8 million records related to U.S. consumers, that contained significant amounts of personal information.
Delinquent data-security practices
According to the FTC, Marriott failed to provide reasonable or appropriate security for the personal information that it collected and maintained. These lax security practices included: a failure to implement appropriate password controls, not patching outdated software, failing to adequately monitor network environments, a failure to implement access controls, not implementing appropriate firewall controls, and failing to apply appropriate multifactor authentication to protect sensitive information.
Notably, the FTC alleged that Starwood failed to comply with contractual obligations and internal policies requiring multifactor authentication.
Mandated modifications of Marriott’s information-security program
As part of the settlement, the FTC is requiring Marriott to overhaul its information-security program. In addition to implementing a new comprehensive data-security system, the hospitality company is required to have a third party assess its security system every two years for the next 20 years. Marriott will also have to provide a conspicuous link on its website and mobile apps that permits customers to request that the firm delete their personal information.
Jessica L. Copeland is a member (partner) in the Buffalo office of Syracuse–based Bond, Schoeneck & King PLLC. She advises her clients in all aspects of business counsel and disputes, with a particular focus on data privacy, cybersecurity, and intellectual property. Contact Copeland at jcopeland@bsk.com. Jackson K. Somes is an associate in Bond’s Rochester office. He concentrates his practice area on litigation and health-care matters. Contact Somes at jsomes@bsk.com
Jessica L. Copeland 
Jackson K. Somes