FTC Pinpoints 13 Essential Corrections After Significant Data Breaches at Marriott and Starwood

FTC Pinpoints 13 Essential Corrections After Significant Data Breaches at Marriott and Starwood

FTC Pinpoints 13 Essential Corrections After Significant Data Breaches at Marriott and Starwood


# The Federal Trade Commission’s Reaction to the Marriott and Starwood Data Breaches

In recent times, the hospitality sector has encountered major obstacles related to data security, emphasized by the extensive data breaches impacting Marriott International and its affiliate, Starwood Hotels. The Federal Trade Commission (FTC) has taken firm measures in reaction to these events, demanding significant modifications to improve data protection and avert future breaches.

## Summary of the Data Breaches

The data breaches at Marriott and Starwood, which transpired over multiple years, have significantly affected millions of customers. The initial breach, reported in 2018, compromised roughly 327 million guests, revealing various personal information such as names, addresses, phone numbers, email addresses, and even sensitive details like passport numbers and credit card information. Importantly, while the credit card numbers were encrypted, the possibility of unauthorized access raised serious concerns about the adequacy of the security protocols in place.

Further breaches exacerbated the situation, ultimately impacting over 344 million customers. The magnitude of these breaches highlighted the deficiencies within the companies’ data security systems and emphasized the critical need for reform.

## FTC’s Directives for Change

In response to these breaches, the FTC has directed Marriott and Starwood to enact a comprehensive suite of changes focused on protecting customer data. The order includes 13 specific requirements intended to tackle the deficiencies that led to the breaches. Key components of the FTC’s order include:

1. **Development of a Comprehensive Information Security Program**: The companies are required to establish a robust security program to shield customer information from unauthorized access and breaches.

2. **Data Retention Policy**: A policy must be adopted to keep personal information only for as long as necessary, thus minimizing the risk of exposure.

3. **Customer Data Deletion Requests**: Marriott and Starwood must provide a way for U.S. customers to ask for the deletion of their personal information linked to their accounts.

4. **Review of Loyalty Accounts**: The companies are mandated to assess loyalty rewards accounts upon customer requests and restore any stolen loyalty points.

5. **Transparency in Data Practices**: The order forbids the companies from misrepresenting their data collection, management, use, deletion, or disclosure practices.

6. **Employee Training**: Staff must be trained on data security best practices to ensure they appreciate the importance of safeguarding customer information.

7. **Incident Response Plans**: The companies must develop plans for addressing potential security threats and breaches.

8. **Intrusion Detection Policies**: Policies need to be put in place to effectively detect and respond to intrusions.

9. **Implementation of Two-Factor Authentication**: The adoption of two-factor authentication is required to bolster security for customer accounts.

## Consequences of the FTC’s Action

The FTC’s directives act as a crucial reminder of the significance of data security in the modern digital landscape. The fundamental nature of many of the mandated changes reveals a troubling reality about the level of security measures in Marriott and Starwood prior to the breaches. The necessity for transparency in data handling and the prohibition of misrepresentation underline the imperative for companies to emphasize ethical data practices.

Furthermore, the FTC’s actions may establish a precedent for other organizations in the hospitality and retail industries, highlighting the necessity for strong security measures and accountability in the management of customer data. As consumers become increasingly aware of their rights concerning personal information, businesses must evolve to fulfill these expectations and protect their reputations.

## Conclusion

The Marriott and Starwood data breaches have highlighted the vulnerabilities that can arise in large entities regarding data security. The FTC’s response, with its extensive set of directives, seeks to address these challenges and shield consumers from future breaches. As the environment of data privacy continues to change, companies must remain alert and proactive in their endeavors to secure customer information and uphold trust in their brands.