Marriott’s $52 million data breach settlement points to a new trend

Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide have reached settlements with the Federal Trade Commission and 49 state attorneys general over a massive data breach at their hotels.

And some observers believe the deal could be a sign of an emerging trend.

Under the agreement, the hotel operator will pay $52 million without admitting liability for the underlying allegations.

According to the complaints, multiple data breaches occurred between 2014 and 2020, affecting more than 344 million customers worldwide.

As part of the settlement with the FTC, Marriott and Starwood must implement a comprehensive information security program designed to improve data protection across their hotel networks worldwide.

_____________________________________________________________________________________________________________________

“States are becoming much more aggressive”

Kelley Kronenberg partner Timothy Shields notes that this development underscores the government’s efforts to combat data breaches.

“Individual states are much more aggressive in addressing privacy concerns when there is no federal consumer privacy law,” Shields said.

Although he is not involved in the FTC lawsuit, the Broward law firm focuses on technology and intellectual property, including copyright, trademark, digital economics, data protection and data breach response.

“I see this trend continuing over the next few years,” Shields said. “The agreement with the FTC outlines several cybersecurity steps for Marriott that are really just standard best practices that every company should already be taking on their own or in collaboration with a cybersecurity expert.”

When contacted, Marriott said as part of its resolutions with the FTC and state attorneys general, the company will continue to implement improvements to its privacy and information security programs, many of which are already in place or in the works.

“For example, Marriott offers US customers a process to request deletion of their personal information, offers an online portal for Marriott Bonvoy® members to report potentially suspicious loyalty account activity, and implements a multi-factor authentication option for Marriott Bonvoy® accounts,” the company statement said.

Marriott and Starwood have also agreed to give all U.S. customers the option to delete personal information associated with their email address or loyalty rewards account number.

Additionally, the proposed settlement requires Marriott to audit loyalty rewards accounts at the customer’s request and restore stolen loyalty points.

“Marriott’s poor security practices resulted in multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Today’s action by the FTC, in coordination with our government partners, will ensure that Marriott improves its data security practices at hotels around the world.”

The FTC and the states worked in parallel on the investigation.

According to the FTC, it does not have the legal authority to impose civil penalties in this case.

“Protecting guests’ personal information remains Marriott’s top priority. These resolutions reaffirm the Company’s continued focus and significant investments in maintaining and adapting its programs and systems to assess, identify and address risks posed by evolving cybersecurity threats,” Marriott said.

Shields, the privacy advocate, points out that there is a valuable lesson to be learned from this government action.

“Individuals need to be much more careful about sharing their information,” Shield said. “It will trickle down. Treat your data as you would your money. Your personal information is like currency – take the same precautions.”

The FTC’s proposed consent agreement is open to public comment before it becomes final. After that, Marriott must comply with the order for 20 years, with third-party assessments occurring every two years.