October 10, 2024 at 03:05PM
Marriott International and Starwood Hotels will pay $52 million to settle data breach claims affecting over 344 million customers. They must implement a comprehensive security program, allow data deletion requests, and provide transparency in data handling. Additionally, they agreed to pay 49 states to resolve related allegations.
### Meeting Takeaways
#### Settlement Overview:
– **Parties Involved**: Marriott International and subsidiary Starwood Hotels.
– **Settlement Amount**: $52 million to be paid in total.
– **Impacted Customers**: Over 344 million.
#### Key Requirements of the Settlement:
1. **Implementation of Security Measures**:
– Establish a comprehensive information security program.
– Conduct third-party assessments every two years.
– Annual compliance certification for a period of 20 years.
2. **Data Management Improvements**:
– Limit data retention to what is necessary.
– Inform customers about the purpose of data collection and retention.
– Allow customers to review unauthorized activity in loyalty accounts.
– Provide options for customers to request deletion of personal information.
3. **Transparency and Accountability**:
– Prohibit misrepresentations regarding the handling of personal data.
– Ensure transparency in data security practices.
4. **Financial Settlement with States**:
– An additional payment of $52 million to 49 states and the District of Columbia to resolve related claims.
#### Background on Data Breaches:
– **Starwood Breach (2014)**: Exposed payment card information; disclosed 14 months later.
– **Starwood Guest Accounts Breach (2014-2018)**: 339 million accounts affected, including 5.25 million unencrypted passport numbers; detected in September 2018.
– **Marriott Breach (September 2018)**: 5.2 million guest records compromised; detected in February 2020.
#### FTC Findings:
– Accusations of misleading consumers regarding data security practices.
– Identified failures included poor password controls, outdated software, and inadequate IT monitoring.
### Action Items:
– Ensure understanding and compliance with the new security measures within the organization.
– Prepare for upcoming third-party assessments and annual compliance checks.
– Review current data handling and retention policies in light of the settlement requirements.
– Communicate changes and new options to customers regarding their personal data management.