The Federal Trade Commission (FTC) has finalized an order requiring Marriott International and its subsidiary, Starwood Hotels & Resorts, to implement a robust data security program in response to three major data breaches that compromised the personal information of over 344 million customers worldwide. The FTC’s complaint, originally announced in October, accused the companies of misleading consumers by claiming to have adequate data security measures while failing to implement reasonable safeguards to protect sensitive information. These security lapses resulted in breaches that exposed a wide range of personal details, including passport information, payment card numbers, and loyalty program data.
Under the terms of the FTC’s order, Marriott and Starwood must establish a comprehensive information security program designed to protect customer data from future breaches. The program includes measures to retain personal information only for as long as necessary and to implement procedures that allow U.S. customers to request the deletion of their personal data linked to their email address or loyalty rewards account number. The order also mandates that Marriott review loyalty rewards accounts upon customer request and restore stolen points, addressing a significant concern raised by affected individuals.
In addition to the security measures, the FTC has prohibited Marriott and Starwood from making misrepresentations about how they collect, maintain, use, or disclose customer data. The companies must also refrain from misleading consumers about the extent to which they protect the privacy, security, and integrity of personal information. This comprehensive order aims to ensure that Marriott and Starwood take the necessary steps to prevent future data breaches and build greater transparency around their data practices.
The FTC’s decision underscores its commitment to protecting consumers and holding companies accountable for their data protection failures. The order will also serve as a reminder to businesses about the importance of implementing strong security measures to safeguard personal information. With increasing concerns about data breaches and cybersecurity threats, the FTC’s action is an important step in promoting consumer trust and ensuring that companies take proactive steps to secure sensitive customer data.
