Marriott and Starwood Ordered to Enforce Comprehensive Security Program

Author:

To settle charges following data breaches, Marriott International and its subsidiary Starwood Hotels & Resorts are required to implement a “comprehensive information security program.” This action is part of the settlement resulting from three major data breaches that compromised sensitive information of millions of guests.The breaches, which occurred over several years, exposed personal data including names, addresses, phone numbers, passport details, and payment information of customers who had stayed at Marriott and Starwood properties.

In response to these incidents, the US authorities have demanded that both companies enhance their security measures to prevent future breaches.As part of the settlement, Marriott and Starwood must work to strengthen their cybersecurity infrastructure, conduct regular risk assessments, and provide ongoing training to staff members. The comprehensive security program is intended to safeguard customer data, improve breach detection and response, and ensure compliance with data protection regulations. These steps aim to restore consumer trust and prevent further violations of data privacy in the future.

As part of the settlement, the hospitality group must appoint a dedicated individual to lead the comprehensive information security program. This leader will be responsible for overseeing its implementation, providing regular governance reports, and tracking and documenting the program’s progress at specified intervals.The order mandates that employees receive regular training on “safeguarding” personal information stored on the group’s IT assets. This training will help ensure that all staff members are well-informed about data protection best practices and understand the importance of securing sensitive customer information.

By implementing these measures, the company aims to strengthen its data security practices and prevent future breaches.For IT and security teams, the settlement imposes several specific requirements to enhance the company’s cybersecurity posture. These include the creation of documented incident response plans, the implementation of robust logging and monitoring systems, and the enforcement of multi-factor authentication for remote access to the IT environment. Additionally, the company must practice good security hygiene, such as regularly updating systems and applying patches, and implement extra protections for how customer personal information is stored.

The order also emphasizes the importance of careful vendor selection and management. Marriott and Starwood are required to ensure that third-party vendors meet the same rigorous standards set for internal security practices. This will help ensure that the entire supply chain maintains a high level of data protection, reducing the risk of breaches through external partners.The charges against Marriott and Starwood were brought by the US Federal Trade Commission (FTC) following data breaches that affected approximately 344 million customers worldwide.

The FTC alleged that the hotel and resorts operator had misrepresented its data security practices and how it handled personal information.According to the FTC, security failures led to at least three separate data breaches, during which malicious actors gained access to vast amounts of personal data from hundreds of millions of consumers. This compromised information included sensitive details such as passport information, payment card numbers, and loyalty program numbers. The FTC’s actions highlight the serious consequences of inadequate data protection and the importance of maintaining robust security measures to safeguard consumer information.