October 11, 2024 at 04:39PM
Marriott and Starwood Hotels will pay $52 million in fines and enhance their information security after three data breaches affecting 344 million customers from 2014 to 2020. They must also allow customers to delete personal information and undergo compliance assessments for 20 years, ensuring improved data security practices globally.
### Meeting Takeaways:
1. **Settlement Overview**: Marriott and Starwood Hotels have reached a $52 million settlement with the FTC, addressing data breaches that affected 344 million customers from 2014 to 2020.
2. **Information Security Improvements**:
– Creation of a revamped information security program.
– Implementation of a policy to retain customer personal information only as necessary.
– Introduction of a process for US customers to request deletion of their personal information linked to loyalty rewards accounts.
3. **Customer Accounts Management**:
– Requirement to review loyalty rewards accounts upon request.
– Commitment to reimburse customers for stolen loyalty points.
4. **FTC’s Role**: The FTC, led by Samuel Levine, is overseeing the enhancement of Marriott’s data security practices globally.
5. **Breach Timeline**:
– **First Breach (June 2014)**: Payment card information of over 40,000 customers breached; undetected for 14 months.
– **Second Breach (July 2014)**: 339 million guest accounts compromised, including 5 million unencrypted passport numbers; discovered in 2018.
– **Third Breach (2018)**: 5.2 million guest records accessed, with nearly 2 million being American; undetected until February 2020.
6. **Compliance Requirements**:
– Marriott and Starwood must certify compliance with FTC regulations annually for 20 years.
– They are required to undergo independent third-party assessments every two years.