Settlements were announced by the FTC and state attorneys general yesterday. Only the state settlement involved a monetary penalty because the FTC had no authority to impose penalties in its case.
Settlement with the FTC
The Federal Trade Commission will require Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a robust information security program to settle charges that the companies’ failure to implement reasonable data security led to three large data breaches from 2014 to 2020 impacting more than 344 million customers worldwide.
In a proposed settlement order with the FTC announced today, Marriott and Starwood also agreed to provide all its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number. In addition, the proposed settlement requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points.
Under a separate settlement also announced today, Marriott also agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security allegations. The FTC and the states worked in parallel on the investigation. The FTC does not have legal authority to obtain civil penalties in this case.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
Marriott and Starwood’s Security Failures
Marriott manages and franchises more than 7,000 properties throughout the United States and across more than 130 other countries. After Marriott acquired Starwood in 2016, it was responsible for the data security practices of both brands.
In a proposed complaint, the FTC says that Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information. Specifically, the proposed complaint alleges that Marriott and Starwood failed to: implement appropriate password controls, access controls, firewall controls, or network segmentation; patch outdated software and systems; adequately log and monitor network environments; and deploy adequate multifactor authentication.
The FTC alleged that security failures by Marriott and Starwood resulted in at least three separate data breaches wherein malicious actors obtained the passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and/or personal information from hundreds of millions of consumers, according to the proposed complaint.
The first breach began in June 2014 involving payment card information of more than 40,000 Starwood customers, according to the proposed complaint. The breach went undetected for 14 months until Starwood notified customers in November 2015, just four days after Marriott announced it was acquiring Starwood.
The second breach began around July 2014 and went undetected until September 2018. During that time, malicious actors accessed 339 million Starwood guest account records worldwide, including 5.25 million unencrypted passport numbers.
The third breach, which went undetected from September 2018 until February 2020, impacted Marriott’s own network. Malicious actors accessed 5.2 million guest records worldwide, including data from 1.8 million Americans. The compromised records contained significant amounts of personal information, including names, mailing addresses, email addresses, phone numbers, month and day of birth, and loyalty account information.
Settlement Requirements
Under the proposed order, Marriott and Starwood will be prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information. Other provisions of the proposed order include:
- Data Minimization: The companies must implement a policy to retain personal information for only as long as is reasonably necessary to fulfill the purpose for which it was collected. The companies also must share the purpose behind collecting personal information and specific business need for retaining it.
- Comprehensive Information Security Program: Marriott and Starwood are required to establish, implement and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years. The information security program must contain robust safeguards, and undergo an independent, third-party assessment every two years.
- Loyalty Rewards Program Account Review: The companies must provide a method for consumers to request review of unauthorized activity in their Marriott Bonvoy loyalty rewards accounts and Marriott must restore any loyalty points stolen by malicious actors.
- Data Deletion: The companies must provide a link for customers to request deletion of personal information associated with an email address and/or a loyalty rewards program account number.
The Commission voted 3-0-2 to issue the administrative complaint and to accept the proposed consent agreement. Commissioners Melissa Holyoak and Andrew Ferguson were recused from this matter.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.
The lead staff attorneys on this matter are Katherine McCarron and Kamay Lafalaise from the FTC’s Bureau of Consumer Protection.
The Federal Trade Commission works to promote competition and protect and educate consumers. The FTC will never demand money, make threats, tell you to transfer money, or promise you a prize. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.
Source: The Federal Trade Commission
$52 Million Settlement with States
NEW YORK – New York Attorney General Letitia James today announced a $52 million multistate settlement with Marriott International, Inc. (Marriott) over a multi-year data breach of one of its guest reservation databases. A multistate investigation found that one of Marriott’s subsidiaries, Starwood Hotels and Resorts Worldwide (Starwood), had intruders in its system for four years without getting detected, leading to a data breach that affected 131.5 million customers nationwide, including millions of New Yorkers. Today’s settlement with 50 attorneys general requires Marriott to significantly overhaul and strengthen its data security to protect customers’ private information and pay $52 million in penalties, of which New York will receive $2.29 million.
“When people book a hotel stay for travel or work, they shouldn’t have to worry that their personal data and credit card information will be stolen,” said Attorney General James. “Marriott let cybercriminals live in its database for years and millions of people had their information stolen as a result. Protecting customers’ private information should be a top priority, not a last resort, for all companies. I am proud to stand with my fellow attorneys general to hold Marriott accountable and to protect customers.”
Starwood operates hundreds of hotels nationwide, including hotels in New York. Marriott acquired Starwood in 2016 and took control of its computer network and databases. A multistate investigation discovered that from July 2014 until September 2018 intruders accessed and stayed on Starwood’s databases undetected for years. This intrusion led to the breach of 131.5 million customers’ personal information. The theft impacted people nationwide and exposed personal information, including contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
Today’s settlement requires Marriott to significantly strengthen and continually improve its cybersecurity practices. Some of the specific measures include:
- An independent third-party assessment of Marriott’s information security program every two years for a period of 20.
- Data minimization and disposal requirements, which will lead to less customer data being collected and retained.
- Implementation of a comprehensive Information Security Program, including regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
- Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
- In the future, if Marriott acquires another entity, it must promptly assess the acquired entity’s information security program and develop plans to address deficiencies as part of the integration into Marriott’s network.
As part of the settlement, Marriott will allow customers to delete their data that is stored with the hotel if they wish to do so. Marriott must also offer multi-factor authentication to customers for their loyalty rewards accounts, such as Marriott Bonvoy, and conduct reviews of those accounts to ensure there is no suspicious activity.
Joining Attorney General James in signing today’s settlement are the attorneys general of Alabama, Alaska, Arizona, Arkansas, Connecticut, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New Jersey, North Carolina, North Dakota, Ohio, Oregon, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, Wyoming, Vermont, and the District of Columbia.
Attorney General James has taken major actions to hold companies accountable for having poor cybersecurity and to improve data security practices. In August 2024, Attorney General James and a multistate coalition secured $4.5 million from a biotech company for failing to protect patient data. In July 2024, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and customers protect themselves. In July 2024, Attorney General James issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of customers impacted by the Change Healthcare data breach. In March 2024, Attorney General James led a bipartisan coalition of 41 attorneys general in sending a letter to Meta Platforms, Inc. (Meta) addressing the recent rise of Facebook and Instagram account takeovers by scammers and frauds. In January 2024, Attorney General James reached an agreement with a Hudson Valley health care provider to invest $1.2 million to protect patient data.
For New York, this matter was handled by Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.
Source: NYS Attorney General’s Office