11/20/24
By: Zohar Peleg
On October 9, 2024, Marriott International, Inc. and its subsidiary, Starwood Hotels & Resorts Worldwide, LLC (collectively “Marriott”) agreed to a proposed settlement1 with the Federal Trade Commission (“FTC”) and a coalition of forty-nine state attorneys general and the District of Columbia over several data security breaches.
According to the FTC, Marriott endured at least three separate data security breaches between 2014 and 2020. The first breach, occurring before Marriott’s 2016 acquisition of Starwood, compromised Starwood’s point-of-sale systems and exposed more than 40,000 consumer payment cards over a period of fourteen months. The second breach, beginning in 2014 and involving Starwood’s guest reservation database, went undetected until 2018. Over the span of four years, malicious actors compromised sensitive information of approximately 339 million Starwood guest records, including passport numbers, contact information, and loyalty numbers. In 2020, malicious actors compromised the credentials of Marriott employees and gained access to guest and consumer records. The FTC claimed that Marriott’s failure to enforce reasonable data security practices likely resulted in the breaches.
Under the proposed settlement, Marriott will bolster its data security practices pursuant to the following key provisions:
In addition to agreeing to enhance its data security practices, Marriott will pay a $52 million penalty to forty-nine states and the District of Columbia to resolve similar data security breach allegations.
The proposed settlement provides insight into the FTC’s enforcement priorities and underscores the importance of employing and updating comprehensive cybersecurity practices. Accordingly, prior to a breach, organizations should spend the time and resources to engage in knowledgeable exercises, such as data mapping, to better understand what data they have, where the data is located, and what the applicable use cases are across the organization. In addition, by implementing data minimization practices, including consumer data deletion and destruction, organizations may reduce the risk of exposure in the event of a data breach.
For more information, please contact Zohar Peleg at zohar.peleg@fmglaw.com or your local FMG attorney.
Share
Save Print