The Federal Trade Commission has issued a comprehensive order requiring Marriott International and Starwood Hotels to implement enhanced data security measures following multiple significant breaches affecting 344 million customers worldwide.
Key Security Requirements:
– Implementation of a comprehensive information security program including encryption, access controls, and multi-factor authentication
– Development of data retention policies and customer data deletion options
– 24-hour security event monitoring and anomaly detection
– Biennial security assessments with FTC reporting for 20 years
– Customer loyalty points protection and restoration procedures
– Prompt breach notification protocols
Timeline and Implementation:
– Order effective date: December 20, 2024
– Implementation deadline: June 17, 2025
– Duration: 20 years, with possible extension
Previous Security Incidents:
– 2014: Starwood payment system breach with delayed disclosure
– 2014-2018: Major breach affecting 339 million guest records
– 2018-2020: Data breach impacting 5.2 million Marriott guests
Financial Impact:
Marriott agreed to a $52 million settlement with 49 states in October 2024 to resolve claims related to these security failures.
The order emphasizes customer data protection and transparency, requiring Marriott to maintain strict security standards and provide better control over personal information to U.S. consumers.