Our Consumer Protection/FTC and Privacy, Cyber & Data Strategy teams unpack Starwood Hotels’ and Marriott International’s settlements with the Federal Trade Commission and Marriott’s settlement with state attorneys general over three data breaches. On October 9, 2024, the Federal Trade Commission (FTC) and state attorneys general (AGs) from 49 states and the District of Columbia announced a pair of parallel settlements with Marriott International Inc., resolving liability for a series of three data breaches from 2014 to 2020 and allegedly involving 344 million customers worldwide. The commission voted 3–0–2 along party lines to issue the administrative complaint and accept the consent agreement; both Republican commissioners were recused. The settlement resolved liability for a series of three data breaches including two breaches involving Starwood that began before its acquisition by Marriott. Although the FTC lacks authority to impose monetary penalties for the breaches, the state AGs reached a $52 million settlement with the hotel brand.
Factual Background
According to the FTC’s administrative complaint , Marriott and Starwood Hotels & Resorts Worldwide LLC, which Marriott acquired in 2016, failed to implement reasonable data security practices, leading to three large data breaches from 2014 to 2020. Notably, the FTC complaint recited the timeline for the due diligence and acquisition of Starwood by Marriott as the basis for holding Marriott responsible for Starwood’s information security environment and pre-acquisition security incidents for the purposes of resolving the action. Specifically, the FTC alleged that Marriott had extensive visibility into and awareness of Starwood’s information security environment during the due diligence phase, pre-transaction period, and post-closing, and noted the incident was not reported by Starwood until after the transaction closed. Not surprisingly, the FTC complaint also alleged that Marriott became responsible for all Starwood systems following the acquisition and was ultimately responsible for the failure to detect additional incidents. Starwood’s preexisting data security practices led to two security breaches in June 2014 and July 2014 that went undetected for many years. FTC Settlement Terms
The FTC settlement with Marriott and Starwood includes a number of provisions providing rights to consumers. Under the agreement, consumers can request a review of unauthorized activity in their loyalty rewards accounts, and Marriott and Starwood are obligated to restore any loyalty points stolen by malicious actors. Additionally, customers must be provided with a link to request deletion of personal information associated with their customer account or email address. The settlement mandates that Marriott and Starwood implement a comprehensive written-information security program and data minimization practices. As a part of this program, Marriott and Starwood must test and monitor the effectiveness of its safeguards at least annually and within 120 days following any future incidents that legally require notification. Among other prescriptive provisions and undertakings, Marriott and Starwood must cooperate with and undergo biennial information security assessments by an independent third party for 20 years. They must establish protocols that give Marriott and Starwood increased oversight over vendors and franchisees so they can adequately safeguard the personal information they access or receive. Marriott and Starwood are prohibited from making misrepresentations regarding their privacy and security practices. Finally, the Marriott and Starwood CEO must submit a written certification of compliance with the undertakings to the FTC annually. Violation of any provisions of the order could subject Marriot and Starwood to significant monetary penalties.
State AGs Settlement
In parallel with the FTC’s settlement announcements, a coalition of state AGs, which included the District of Columbia and every U.S. state except California, announced its own settlement with Marriott to resolve liability stemming from the same three data breaches. The settlement includes a cumulative $52 million in penalties, which are distributed across the relevant states. Its requirements largely mirror that of the FTC settlement. Unique to the AGs settlement is Marriot’s obligation to conduct risk assessments for “Critical IT Vendors.”
Limited FTC Enforcement
While the FTC can seek civil penalties and consumer redress for violations of the certain laws and rules it enforces, following the landmark AMG Capital decision, the Supreme Court severely hamstrung the FTC’s ability to seek monetary remedies for violations of the FTC Act, including data security violations. As a result, the FTC has sought out creative workarounds. Partnering with state AGs has been a common solution. [ View source .]
CONTINUE READING
Factual Background
According to the FTC’s administrative complaint , Marriott and Starwood Hotels & Resorts Worldwide LLC, which Marriott acquired in 2016, failed to implement reasonable data security practices, leading to three large data breaches from 2014 to 2020. Notably, the FTC complaint recited the timeline for the due diligence and acquisition of Starwood by Marriott as the basis for holding Marriott responsible for Starwood’s information security environment and pre-acquisition security incidents for the purposes of resolving the action. Specifically, the FTC alleged that Marriott had extensive visibility into and awareness of Starwood’s information security environment during the due diligence phase, pre-transaction period, and post-closing, and noted the incident was not reported by Starwood until after the transaction closed. Not surprisingly, the FTC complaint also alleged that Marriott became responsible for all Starwood systems following the acquisition and was ultimately responsible for the failure to detect additional incidents. Starwood’s preexisting data security practices led to two security breaches in June 2014 and July 2014 that went undetected for many years. FTC Settlement Terms
The FTC settlement with Marriott and Starwood includes a number of provisions providing rights to consumers. Under the agreement, consumers can request a review of unauthorized activity in their loyalty rewards accounts, and Marriott and Starwood are obligated to restore any loyalty points stolen by malicious actors. Additionally, customers must be provided with a link to request deletion of personal information associated with their customer account or email address. The settlement mandates that Marriott and Starwood implement a comprehensive written-information security program and data minimization practices. As a part of this program, Marriott and Starwood must test and monitor the effectiveness of its safeguards at least annually and within 120 days following any future incidents that legally require notification. Among other prescriptive provisions and undertakings, Marriott and Starwood must cooperate with and undergo biennial information security assessments by an independent third party for 20 years. They must establish protocols that give Marriott and Starwood increased oversight over vendors and franchisees so they can adequately safeguard the personal information they access or receive. Marriott and Starwood are prohibited from making misrepresentations regarding their privacy and security practices. Finally, the Marriott and Starwood CEO must submit a written certification of compliance with the undertakings to the FTC annually. Violation of any provisions of the order could subject Marriot and Starwood to significant monetary penalties.
State AGs Settlement
In parallel with the FTC’s settlement announcements, a coalition of state AGs, which included the District of Columbia and every U.S. state except California, announced its own settlement with Marriott to resolve liability stemming from the same three data breaches. The settlement includes a cumulative $52 million in penalties, which are distributed across the relevant states. Its requirements largely mirror that of the FTC settlement. Unique to the AGs settlement is Marriot’s obligation to conduct risk assessments for “Critical IT Vendors.”
Limited FTC Enforcement
While the FTC can seek civil penalties and consumer redress for violations of the certain laws and rules it enforces, following the landmark AMG Capital decision, the Supreme Court severely hamstrung the FTC’s ability to seek monetary remedies for violations of the FTC Act, including data security violations. As a result, the FTC has sought out creative workarounds. Partnering with state AGs has been a common solution. [ View source .]
