The Federal Trade Commission (FTC) has mandated that Marriott International and its subsidiary, Starwood Hotels, implement a robust data security framework after repeated failures to protect customer data.
These lapses led to multiple high-profile data breaches affecting hundreds of millions of guests worldwide.
Key Security Requirements
The FTC order outlines stringent measures to ensure better protection of customer data. Marriott and Starwood must:
- Implement a Comprehensive Security Program
Develop and maintain an information security program incorporating encryption, access controls, multi-factor authentication, vulnerability management, and incident response protocols. - Limit Data Retention
Retain personal data only as long as necessary and provide a website link for U.S. consumers to request data deletion. - Enhance Monitoring and Logging
Detect unusual activities and security incidents within 24 hours by logging and monitoring IT assets. - Conduct Regular Assessments
Perform independent biennial evaluations of the security program for 20 years and address identified vulnerabilities. - Improve Customer Data Controls
Allow U.S. consumers to review suspected unauthorized activity in loyalty accounts and restore stolen rewards points in case of breaches. - Timely Breach Notifications
Notify the FTC within 10 days of any required breach disclosures to government entities.
The companies are required to implement these changes within 180 days of the order’s effective date, December 20, 2024, setting the compliance deadline for June 17, 2025.
