Gandalf_The_Grey
Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,566
The Federal Trade Commission (FTC) has ordered Marriott International and Starwood Hotels to define and implement a robust customer data security scheme following failures that led to massive data breaches.
After acquiring Starwood in 2016 and failing to implement "reasonable data security," Marriott International suffered three major data breaches impacting 344 million customers globally.
Order for stronger measures
Now, the FTC has ordered Marriott and its subsidiary, Starwood, to establish a security program that would safeguard the clients’ sensitive data from hackers and provide them better control over their data.
According to the published order, the following key measures need to be taken:
The FTC order mandates that Marriott and Starwood implement the required comprehensive information security program and related measures within 180 days from the date the order takes effect, which is December 20, 2024, setting a deadline for June 17, 2025
- Establish, implement, and maintain a comprehensive information security program that encompasses encryption, access controls, multi-factor authentication, vulnerability management, and incident response plans
- Marriott must maintain policies to retain personal information only as long as reasonably necessary for its purposes, and include a link on its website for U.S. consumers to request deletion of their personal information
- Implement logging and monitoring of IT assets to detect anomalous activities and security events within 24 hours
- Conduct independent, biennial assessments of the information security program for 20 years and report to the FTC any identified gaps addressed
- Provide a method for U.S. consumers to review suspected unauthorized activity in their loyalty rewards accounts and restore those points in cases of a breach
- Inform the FTC within 10 days of any required notifications to governmental entities about security breaches

FTC orders Marriott and Starwood to implement strict data security
The Federal Trade Commission (FTC) has ordered Marriott International and Starwood Hotels to define and implement a robust customer data security scheme following failures that led to massive data breaches.