FTC Issues Order Requiring Marriott & Starwood to Strengthen Data Security

The Federal Trade Commission (FTC) announced today that it has issued an order requiring Marriott International, Inc. and Starwood Hotels & Resorts Worldwide LLC, a subsidiary of Marriott, to implement more robust data security programs.

This order stems from charges against the companies alleging they failed to maintain adequate data security, resulting in three major breaches that collectively impacted over 344 million customers worldwide.

The FTC initially brought charges against Marriott and Starwood, accusing them of misleading customers by claiming to have sufficient data security measures while failing to properly safeguard private information. These deficiencies allegedly led to at least three separate cybersecurity breaches, exposing a vast amount of personal data—including passport information, payment card details, and loyalty account numbers—to cybercriminals.

Under the order, Marriott and Starwood are required to establish a more comprehensive data security program to protect customer information, implement a policy for retaining private data only as long as necessary, and add a feature on their website enabling U.S. customers to request the deletion of personal data tied to their email addresses or loyalty rewards account numbers.

Additionally, Marriott will be required to inspect loyalty rewards accounts and reimburse customers for stolen loyalty points upon request.

The order also prohibits Marriott and Starwood from misrepresenting their practices for collecting, storing, using, deleting, or disclosing private information. It further prevents them from making false claims about the level of protection they provide for the privacy, security, availability, confidentiality, or integrity of sensitive data.

The FTC considered and responded to two public comments on the proposed order before finalizing it. The order was approved with a 3-0-2 vote by the Commission.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.