October 9, 2024 at 05:16PM
Marriott will pay a $52 million penalty and enhance its cybersecurity practices following data breaches from 2014 to 2020 that affected 344 million individuals. Settlements with state attorneys general and the FTC mandate improved data security measures and customer rights regarding personal information without admitting liability.
### Meeting Takeaways:
1. **Settlement Overview**:
– Marriott has agreed to pay a **$52 million penalty** due to major data breaches affecting over **344 million individuals** from 2014 to 2020.
– The settlement includes a coalition of **49 state attorneys general** and the **District of Columbia**, following an investigation into security lapses.
2. **FTC Agreement**:
– Requires Marriott and **Starwood Hotels** to improve cybersecurity practices.
– Establishes **20 years of compliance certification** with the FTC.
– Customers will have an easy option to request deletion of their personal information.
3. **No Admission of Liability**:
– Marriott makes no admission of liability regarding the breaches, as stated on their website.
4. **Data Privacy Enhancements**:
– Marriott will implement ongoing enhancements to data privacy and security programs, including:
– A deletion request process for US customers.
– An online portal for reporting suspicious activity for Marriott Bonvoy members.
– Multi-factor authentication for Bonvoy accounts.
5. **Breach Details**:
– **Three significant breaches** occurred:
– Breach of **40,000** Starwood customer payment card info (2014).
– Theft of over **339 million** guest account records (2014-2018) including unencrypted passport numbers.
– Breach affecting **1.8 million** Americans’ data (discovered in 2020).
6. **Security Flaws Identified**:
– Complaints highlighted numerous security issues, such as:
– Poor password management.
– Non-compliant access control practices.
– Lack of multi-factor authentication and inadequate network monitoring.
7. **Future Security Measures**:
– Marriott must establish a comprehensive **information security program** assessed every two years by a third party.
– Must use **multi-factor authentication**, enforce network segmentation, and implement data encryption.
– Commitment to restore loyalty points stolen by cybercriminals and provide review methods for unauthorized activities.
8. **Financial Context**:
– Marriott’s revenue was approximately **$23.71 billion** in 2023, indicating that the financial impact of the settlement is manageable.
### Action Items:
– Ensure ongoing monitoring and compliance with the new security measures.
– Keep stakeholders informed about the implementation of the comprehensive infosec program and customer communication strategies.