FTC Orders Marriott and Starwood to Implement Strict Data Security Measures

In a landmark move to address significant lapses in data security, the Federal Trade Commission (FTC) has issued orders compelling Marriott International, Inc., and its subsidiary Starwood Hotels & Resorts Worldwide, LLC, to adopt stringent measures to safeguard consumer data. This decision follows a major data breach that exposed the personal information of approximately 383 million guests, highlighting critical vulnerabilities in the companies’ cybersecurity infrastructure.

The Breach: A Timeline of Neglect

The data breach in question dates back to 2014 when hackers gained unauthorized access to Starwood’s reservation database. However, the intrusion went undetected for four years, even after Marriott acquired Starwood in 2016. The compromised data included sensitive information such as passport numbers, credit card details, and travel itineraries, raising concerns about identity theft and fraud. The FTC’s investigation revealed that Marriott failed to conduct adequate due diligence during the acquisition process and neglected to remedy known security deficiencies in Starwood’s systems.

The FTC’s Findings

The FTC’s complaint outlined several key failings:

1. Insufficient Monitoring: Marriott did not have adequate systems in place to detect unauthorized access to its networks.
2. Inadequate Encryption: Sensitive data, such as passport numbers, was stored without robust encryption measures.
3. Failure to Patch Vulnerabilities: Both companies failed to promptly address known security vulnerabilities.
4. Poor Risk Assessment: Marriott and Starwood did not conduct comprehensive risk assessments post-acquisition to identify potential cybersecurity threats.

The Order: What It Entails

Under the FTC’s directive, Marriott and Starwood are required to:

1. Implement a Comprehensive Data Security Program: This program must include regular assessments of internal and external risks, prompt implementation of security updates, and robust monitoring for unauthorized access.
2. Conduct Third-Party Audits: Independent cybersecurity experts will audit the companies’ data security practices annually for the next 20 years.
3. Encrypt Sensitive Data: All sensitive consumer information must be encrypted both at rest and in transit.
4. Report Future Breaches Promptly: Marriott and Starwood are mandated to notify the FTC and affected consumers promptly in the event of a data breach.

Broader Implications for the Hospitality Industry

The FTC’s actions serve as a stark reminder to businesses in the hospitality sector and beyond about the importance of robust cybersecurity measures. With the increasing reliance on digital systems to manage reservations, customer data, and payment processing, companies must proactively address vulnerabilities to protect consumer trust and avoid regulatory scrutiny.

What Consumers Can Do

While businesses are responsible for safeguarding personal information, consumers can take steps to mitigate risks:

• Monitor Accounts: Regularly check financial statements for unauthorized transactions.
• Use Strong Passwords: Create unique, complex passwords for online accounts and update them regularly.
• Enable Alerts: Set up account notifications for suspicious activity.
• Be Vigilant: Report any suspected identity theft promptly to relevant authorities.