Federal Trade Commission Finalizes Order Requiring Marriott International and Starwood Hotels to Improve Digital Security
On Friday, the Federal Trade Commission (FTC) announced that it had finalized an order requiring Marriott International and its subsidiary Starwood Hotels to enhance their digital security practices. This move comes after the FTC charged the companies with lax security measures that resulted in three significant breaches detected in 2015, 2018, and 2020, affecting more than 344 million customers worldwide.
The Breaches: A Timeline of Insecurity
The first breach occurred in 2015, but it was not detected until 2016. The second breach took place in 2018 and lasted for four years, with attackers maintaining access to the company’s systems from that point onwards. The third breach was detected in 2020 and lasted for 14 months before being identified.
The breaches compromised sensitive customer information, including passport details, payment cards, and other personal data. The lack of robust security measures allowed hackers to gain unauthorized access to the companies’ systems, highlighting the need for improved digital security practices.
Charges and Settlement
In October, the FTC announced its charges against Marriott International and Starwood Hotels, accusing them of having "deceived consumers" with false claims of "reasonable and appropriate data security." The alleged failures included poor password and firewall practices, outdated software and systems, and inadequate patching measures. The same day, the Connecticut Attorney General’s office announced that Marriott had agreed to a $52 million settlement.
The Order: Requirements for Improved Security
As part of the order, Marriott International and Starwood Hotels are required to establish beefed-up security programs that include:
- Policies for data retention: Only keeping information for as long as it is needed
- Publication of deletion link: Allowing US customers to request the deletion of information tied to their email address or loyalty account
Additional Requirements
The companies are also forbidden from misrepresenting how they collect, maintain, use, delete, or disclose consumers’ personal information. They must also keep compliance records and submit to FTC inspections.
Impact on Customer Data Security
This order sends a strong message to companies about the importance of digital security and data protection. Marriott International and Starwood Hotels must now prioritize customer data security and take concrete steps to prevent future breaches.
Industry Response: A Need for Improvement
Hotels have been one of many key targets for hackers in recent years, with a breach last year affecting FTC Chair Lina Khan among others. The incident highlights the need for improved digital security measures across the industry.
Conclusion
The Federal Trade Commission’s order requiring Marriott International and Starwood Hotels to improve their digital security is a significant step towards protecting customer data. By implementing stricter security measures and submitting to regular inspections, these companies can prevent future breaches and maintain customer trust.
In conclusion, this order serves as a reminder to all businesses of the importance of prioritizing customer data security. With the increasing threat of cyberattacks, it’s essential for companies to stay ahead of the game and invest in robust digital security measures.
Related Articles
