BlogLine

The price of consumer data: Marriott, Starwood, and the Federal Trade Commission

11/20/24

By: Zohar Peleg

On October 9, 2024, Marriott International, Inc. and its subsidiary, Starwood Hotels & Resorts Worldwide, LLC (collectively “Marriott”) agreed to a proposed settlement¹ with the Federal Trade Commission (“FTC”) and a coalition of forty-nine state attorneys general and the District of Columbia over several data security breaches.  

According to the FTC, Marriott endured at least three separate data security breaches between 2014 and 2020. The first breach, occurring before Marriott’s 2016 acquisition of Starwood, compromised Starwood’s point-of-sale systems and exposed more than 40,000 consumer payment cards over a period of fourteen months. The second breach, beginning in 2014 and involving Starwood’s guest reservation database, went undetected until 2018. Over the span of four years, malicious actors compromised sensitive information of approximately 339 million Starwood guest records, including passport numbers, contact information, and loyalty numbers. In 2020, malicious actors compromised the credentials of Marriott employees and gained access to guest and consumer records. The FTC claimed that Marriott’s failure to enforce reasonable data security practices likely resulted in the breaches.  

Under the proposed settlement, Marriott will bolster its data security practices pursuant to the following key provisions:   

• Information Security System: Marriott will establish and implement a comprehensive information security program addressing safeguards specific to Marriott’s prior data security failures. 

• Independent Assessments:  Marriott will obtain security assessments by an independent, third-party professional every two years for a period of twenty years and certify such compliance with the FTC.    

• Loyalty Rewards Program Accounts Review: Marriott will provide a mechanism for consumers to request a review of their loyalty rewards accounts and reinstatement of stolen loyalty points.  

• Data Handling: Marriott will offer an online mechanism for consumers to request the deletion of personal information linked to email addresses and/or loyalty numbers.  

• Data Minimization: Marriott will retain consumer personal information only for as long as such information is necessary to fulfill the purpose for which it was collected. Marriott will also disclose to consumers its methods for collecting and retaining consumer personal information.  

In addition to agreeing to enhance its data security practices, Marriott will pay a $52 million penalty to forty-nine states and the District of Columbia to resolve similar data security breach allegations.    

The proposed settlement provides insight into the FTC’s enforcement priorities and underscores the importance of employing and updating comprehensive cybersecurity practices. Accordingly, prior to a breach, organizations should spend the time and resources to engage in knowledgeable exercises, such as data mapping, to better understand what data they have, where the data is located, and what the applicable use cases are across the organization. In addition, by implementing data minimization practices, including consumer data deletion and destruction, organizations may reduce the risk of exposure in the event of a data breach.  

For more information, please contact Zohar Peleg at zohar.peleg@fmglaw.com or your local FMG attorney.  

1. The parties’ acceptance of the proposed settlement “does not constitute final approval, but it serves as the basis for further actions leading to final disposition of the matter.” Agreement Containing Consent Order, ¶ 4. https://www.ftc.gov/system/files/ftc_gov/pdf/1923022marriottacco.pdf.  ↩︎