This week, Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC (collectively, Marriott) agreed to settle on the terms of a settlement order with the Federal Trade Commission (FTC) for its alleged failures to implement reasonable security measures which in turn led to three data breaches between 2014 and 2020, affecting over 344 million consumers across the globe. The type of data affected included names, passport information, payment card numbers, loyalty numbers, dates of birth, email addresses, and other types of personal information. Specifically, the FTC alleged that Marriott failed to implement appropriate password controls, access controls, firewall controls, or network segmentation; patch outdated software and systems; adequately log and monitor network environments; or deploy adequate multifactor authentication.

Pursuant to the Order, Marriott will:

  • Provide all U.S. consumers with a means to request deletion of their personal information;
  • Allow all U.S. consumers to review loyalty rewards accounts upon request and reinstate loyalty points if such points were stolen as a result of the breach(es);
  • Clearly and transparently disclose to consumers how Marriott collects, maintains, uses, deletes, and discloses consumers’ personal information;
  • Minimize the retention of personal information only for as long as such information is needed to fulfill the purpose for which it was collected;
  • Implement and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years; and,
  • Undergo an independent, third-party security risk assessment every two years;

The FTC does not have legal authority to require Marriott to pay civil penalties in this matter. Additionally, this week, Marriott agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security allegations made by state regulators.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.