The Federal Trade Commission (FTC) has mandated that Marriott International and Starwood Hotels implement stringent cybersecurity measures following a series of significant data breaches that compromised the personal information of millions of customers. This ruling comes in response to the company's failure to adequately protect sensitive customer data, leading to widespread exposure of personal and financial information.
Key Takeaways
The FTC has ordered Marriott and Starwood to enhance their cybersecurity protocols.
The ruling follows three major data breaches affecting over 344 million customers.
Marriott must implement a comprehensive information security program and conduct regular assessments.
Background of the Breaches
Between 2015 and 2020, Marriott experienced three major data breaches that exposed the personal information of over 344 million customers worldwide. The breaches included sensitive data such as passport details, payment card information, and other personally identifiable information. The FTC's investigation revealed that Marriott had failed to implement adequate security measures, which allowed hackers to access customer data for an extended period.
New Cybersecurity Requirements
As part of the FTC's ruling, Marriott is required to establish and maintain a comprehensive information security program that includes:
Encryption: Protecting sensitive data through encryption to prevent unauthorized access.
Access Control: Implementing strict access controls to limit who can view and manage customer data.
Multifactor Authentication: Requiring multiple forms of verification for access to sensitive information.
Incident Response: Developing a robust incident response plan to address potential security breaches.
Additionally, Marriott must monitor all IT assets to detect security events and maintain policies for retaining personal information only as long as necessary.
Ongoing Compliance and Customer Rights
The FTC's ruling mandates that Marriott conduct independent, biennial assessments of its information security programs. Any identified gaps or security breaches must be reported to the FTC within 10 days. These requirements will be enforced for the next 20 years.
Customers will now have the option to:
Review suspected unauthorized activity in their accounts.
Request the deletion of their data and personal information from Marriott's systems.
Consequences of Inadequate Security
Marriott has acknowledged that its poor security practices contributed to the breaches, which allowed hackers to access its systems for up to four years. Earlier this year, the company faced a $52 million penalty from the FTC, which argued that Marriott attempted to conceal the breaches and misled consumers by claiming to have reasonable and appropriate data security measures in place.
Conclusion
The FTC's ruling serves as a significant reminder of the importance of robust cybersecurity measures in protecting customer data. As Marriott and Starwood work to enhance their security protocols, customers can expect greater transparency and control over their personal information in the future.
Sources
FTC orders Marriott and Starwood to boost cybersecurity following major incidents | TechRadar, TechRadar.
FTC orders Marriott and Starwood to boost cybersecurity following major incidents, MSN.