Introduction
On December 20, 2024, the Federal Trade Commission (the “FTC”) finalized a consent agreement (“Consent Order”) with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC (collectively, “Marriott”) to settle allegations that Marriott failed to implement reasonable data security measures, resulting in three large data breaches from 2014 to 2020 and affecting more than 344 million customers worldwide. With obligations extending 20 years, the Consent Order requires Marriott to, among other remedial steps, implement a comprehensive information security program (“ISP”) with prescribed security measures, the effectiveness of which will be subject to a third-party independent biennial assessment. Key elements of the required ISP include multi-factor authentication (“MFA”), encryption, asset inventory, written documentation, and vulnerability and patch management. The final Consent Order is materially identical to the proposal announced on October 9, 2024.
Under a parallel settlement with attorneys general (“AGs”) in 49 states and the District of Columbia, who investigated the breaches in coordination with the FTC, Marriott agreed to pay a $52 million civil penalty to resolve similar data security allegations.
The Consent Order serves as a reminder of the FTC’s previously articulated focus on protecting consumer personal information and provides a roadmap of the regulator’s ongoing expectations for companies’ implementation of information security programs. The Consent Order also indicates what the FTC currently considers “reasonable” security practices for companies like Marriott. Notably, the FTC and state regulator enforcement approach reinforces how existing cybersecurity regulations are creating a baseline of expected practices that extend beyond more heavily regulated sectors.
In this blog post, we discuss key provisions in the Consent Order, which not only underscore the FTC’s expectations for (and enforcement of) reasonable security practices in the absence of specific regulations but also highlight the added compliance burden that companies may face in an enforcement action. We discuss what this means for businesses across sectors and what businesses can do to prepare.
FTC’s Action Against Marriott
Marriott’s and Starwood’s Alleged Security Failures
In its complaint against Marriott (the “Complaint”), the FTC alleged that from 2014 to 2020, Marriott and Starwood failed to implement reasonable or appropriate information security measures to protect the personal information that they collected and maintained about consumers. The FTC also alleged that Marriott made misrepresentations about its security practices. The FTC alleged that these actions constituted unfair and deceptive practices, respectively, in violation of Section 5 of the FTC Act.
The FTC alleged that, as a result of these security failures, malicious actors were able to gain unauthorized access to Starwood’s and Marriott’s networks in at least three separate breaches, exposing the personal information (including payment card details, unencrypted passport numbers, loyalty account numbers, and flight details associated with hotel stays) of hundreds of millions of consumers worldwide to financial fraud, identity theft, and other injuries. As the FTC highlighted, Marriott was responsible for the data security practices of both brands after Marriott acquired Starwood and took control of Starwood’s computer network in 2016.
FTC Settlement Consent Order
In its Complaint, the FTC alleged that Marriott failed to adopt reasonable security practices. Pursuant to the final Consent Order, which has a 20-year term, Marriott agreed to strengthen and continually improve its cybersecurity practices. As detailed below, Marriott agreed to measures—some exceptional, some more standard—to assess, govern, and validate its information security practices, including implementation of a comprehensive ISP.
Certain of the measures to which Marriott agreed extend beyond the scope of standard security programs. These include:
(1) Initial and Biennial Third-Party Information Security Assessments: Marriott must obtain a third-party assessment of the efficacy of Marriott’s data security program once every two years. Marriott must also cooperate with the assessor by making available all relevant information, Marriott IT assets, and material facts for determining whether Marriott has effectively implemented its ISP. The initial assessment must be submitted to the FTC and subsequent assessments retained by Marriott for five years after completion, to be made available upon request by the FTC. Additionally, the FTC must approve the independence of the third-party assessor.
(2) Post-Acquisition Assessments: Marriott must assess whether the ISP of any newly acquired entity complies with the terms of the Consent Order. Before the acquired entity can access any Marriott asset, Marriott must develop a plan and timeline to remediate any identified gaps and deficiencies regarding compliance with the Consent Order’s security safeguards
(3) Franchisee Risk Management: Marriott must contractually bind its franchisees to the terms of the Consent Order. Marriott also agreed to impose a risk-based audit program to review franchisee compliance with the conditions outlined in the Consent Order. Although they are typical for vendor risk management, contractual and auditing provisions on cybersecurity are not standard practices for franchisors.
In the Consent Order, Marriott further agreed to the following measures, more typical of security programs:
(4) Governance: Marriott must provide annual written reports on the ISP to its Board of Directors (the “Board”) and designate a qualified employee to oversee implementation of the ISP. For entities covered by the Consent Order that do not have a Board, Marriott must report to a senior officer responsible for the ISP. Marriott also must provide a written report to the governing body within 120 days of any cyber incident about which Marriott is legally required to notify state or federal authorities (“Covered Incident”).
(5) Risk Assessments: Marriott must conduct risk assessments annually and within 120 days of any Covered Incident. The risk assessment will consist of assessing and documenting any risks to the security, confidentiality, or integrity that could result in the compromise of personal data. Unauthorized collection, unauthorized use, unauthorized provision of access to, and misuse of, personal data are some instances of compromises under the Consent Order.
(6) Risk-Based Safeguards: Based on the outcomes of the risk assessment, Marriott must implement certain enumerated safeguards, including:
- Employee cybersecurity training: Annual role-appropriate training for Marriott and Marriott Franchised Hotels employees who either are responsible for the ISP or have access to personal information on any Marriott IT asset on safeguarding personal information.
- Incident plan documentation and maintenance: Written documentation on the content, establishment, implementation, and maintenance of an incident response plan (“IRP”) protecting against unauthorized access to personal information.
- Logging and monitoring: Policies and procedures for integrating third-party monitoring services for logging events on Marriott IT systems and facilitating identification of and response to cyber incidents under the IRP.
- Access controls: Policies, procedures, and technical measures to mitigate the risk of online attacks. These include strong passwords, prohibiting the use of compromised credentials, and employing the principle of least privilege to limit employees’ access to customer information.
- MFA: MFA network login, or equivalent enhanced authentication measures for any remote access of Marriott IT assets (including databases) by Marriott employees and vendors. Similar authentication measures for personal account access must also be an option for U.S. consumers.
- Network segmentation and hardening: Configuration standards for operating systems and network devices in Marriott’s corporate network segment and other non-property network segments against known threats and vulnerabilities. Any new operating systems or network devices for Marriott IT systems must meet Marriott’s configuration standards before approval.
- Encryption of personal information: Encryption, tokenization, or other security measures to protect personal information on Marriott IT assets.
- Asset inventory and classification: Scanning or equivalent monitoring tools to regularly inventory and classify Marriott IT assets that contain personal information, including hardware, software, and location information for any Marriott IT assets. Further, any removed Marriott assets with personal information must be destroyed or have their data encrypted.
- Vulnerability and patch management: Vulnerability and patch management to maintain and support software on Marriott IT assets containing personal information. Governing policies and procedures must account for the operational, technological, and security impact of updates as well as the scope of resources required to maintain, update, and support the software in a timely manner.
(7) Testing and Monitoring: Marriott must test and adjust all safeguards in light of developing business operations and technological advances at least annually and within 120 days of any Covered Incident. As part of its testing and monitoring obligations, Marriott must include a vulnerability management program reasonably designed to continually identify and assess any security vulnerabilities. This testing and monitoring must include discovering vulnerabilities identified by reputable outside sources, assigning risk rankings to new vulnerabilities, running internal and external network vulnerability scans at least quarterly, and performing rescans to ensure previously identified vulnerabilities have been remediated. Furthermore, the testing and monitoring program must include an appropriate schedule of risk-based tests that feature internal and external penetration testing, segmentation testing, and web application penetration testing.
(8) Vendor Risk Management: Marriott must select and retain vendors capable of safeguarding customers’ personal information and contractually require these vendors to implement and maintain sufficient safeguards.
(9) Data Retention and Disposal: Marriott must retain personal information only as long as reasonably necessary to fulfill the purpose for which the information was collected. As an exceptional measure, Marriott must provide a link for customers to request deletion of personal information associated with their email address or loyalty rewards account number, regardless of whether the customer is in a state jurisdiction that provides a right to delete.
In addition to the above, Marriott will be subject to regular review by both the FTC and consumers regarding the quality of security measures surrounding consumers’ personal information. In particular, Marriott must provide annual certification that it has agreed to the terms of the Consent Order, submitting notifications within 10 days of any legally mandated reportable incident, and enabling consumers to request review of unauthorized activity in Marriott loyalty rewards accounts. Moreover, Marriott agreed to avoid misrepresenting its practices, expressly or by implication, around consumers’ personal information.
Collectively, the obligations to assess, govern, and validate Marriott’s security practices represent the FTC’s attempt to ensure that Marriott has implemented reasonable security practices.
Parallel Settlement with State Regulators
In parallel with the Consent Order, Marriott entered a final consent decision (the “AG Settlement”) with the AGs from the District of Columbia and 49 states (all but California). The AG Settlement also featured a 20-year term. Whereas the Consent Order has a 180-day implementation deadline, the AG Settlement requires full implementation within one year: by October 9, 2025. Furthermore, the AG Settlement requires a $52 million payment to the participating states. The AG Settlement contains many similar provisions to the Consent Order, including the requirement to implement an ISP with annual reporting and third-party audits, as well as technical safeguards to protect consumer data, including the use of MFA and encryption. In several important ways, however, the AG Settlement is more prescriptive:
- Additional Board Management Requirements: While the Consent Order leaves open the precise contours of board management, the state regulators require, among other things, designation of a Chief Information Security Officer and appointment of a Board Committee focused on the ISP that meets at least four times a year.
- Additional Technical Requirements: The AG Settlement requires additional training measures, including an annual tabletop exercise, and additional technical specifications, including compliance with PCI DSS and Zero Trust principles as well as use of digital certificates.
- Categorical Vendor Oversight: Like the Consent Order, the state regulators hold Marriott accountable for developing and maintaining written policies and procedures for vendors. The AG Settlement goes further in designating a special category of vendor—“Critical IT Vendors”—that manage a significant component of the ISP and have access to Marriott data or databases. For these Critical IT Vendors, Marriott has agreed to develop, implement, and maintain enhanced security protocols including contractual provisions, vendor performance monitoring, and access limitations.
Together, the Consent Order and AG Settlement suggest a shifting business climate with increasing regulatory scrutiny into organizations’ cybersecurity governance, even in sectors not previously targeted for cybersecurity regulation.
Implications for Businesses and Takeaways
The Consent Order demonstrates the FTC’s willingness to bring enforcement action against companies for failure to implement reasonable cybersecurity practices to protect consumer information, especially in the aftermath of incidents or data breaches. Moreover, the Consent Order follows a trend of the FTC regulating technology under its existing Section 5 authority from the Federal Trade Commission Act. Likewise, state regulators in the AG Settlement cited their general consumer protection and data breach notification laws.
This expansive enforcement approach is not novel and parallels recent regulatory activity pursuing compliance through existing laws for newer technology and technological developments. For instance, the U.S. Treasury recently emphasized how existing regulations for financial firms address AI-related risks.
The FTC’s Consent Order and AG Settlement are a reminder to companies that are not currently subject to sector-specific cybersecurity requirements to consider the following:
- Benchmark. Substantive cybersecurity requirements from industry-specific cyber regulations (like NYDFS Part 500 and the FTC Safeguards Rule) are being exported by other regulators to set a baseline for expected behavior across the business ecosystem. These include requirements for corporate governance and board oversight, and technical requirements like the use of MFA and logging, as well as incident response and business continuity planning through robust plans that are clearly documented. Consider, as well, additional best practices that are relatively simple to implement, including password controls and authentication, network segmentation, and regular monitoring for cyber threats. Companies should also consider closely monitoring the FTC’s guidance and enforcement actions on cybersecurity.
- Conduct Periodic Third-Party Risk Assessments. The Consent Order specifically calls for Marriott to engage an independent third party to assess the effectiveness of its ISP. Such third-party audits are also a requirement for specific types of financial institutions under NYDFS Part 500. Regardless of industry, companies should consider the merits of conducting such third-party risk assessments and of doing so at the direction of counsel, under privilege.
- Conduct Careful Cybersecurity Due Diligence Pre-Acquisition and Develop Post-Acquisition Remediation Plan. As the Consent Order highlights, an acquiring firm could inherit the legacy cybersecurity practices, and associated inadequacies, of an acquired firm. Such an acquiring firm could, as a result, be on the hook for historical incidents that are not adequately addressed at the point of acquisition. The Marriott action serves as a reminder for companies to conduct careful cybersecurity and privacy due diligence pre-acquisition, tailored to the specific risks that the to-be-acquired entity’s business may present. Where pre-acquisition diligence is not possible, companies should consider taking post-close steps to evaluate the acquired entity’s cybersecurity posture before integrating systems. Relatedly, companies should consider the best ways to appropriately allocate such risks in the acquisition negotiation process and develop a plan to timely remediate any outstanding issues post-acquisition, including by testing in a scenario-specific IRP playbook.
- Establish Third-Party Risk Management Protocols. The third breach at issue in the Consent Order involved a Marriott-franchised property that was used to gain access to Marriott’s network. Companies should consider risk from any third parties whose networks, if compromised, would affect the company systems or data. Considering risk can involve implementing pre-engagement measures and adjusting aspects of the ISP focused on quick diagnosis post-breach.
- Minimize Data Retention. Regulators, including the FTC and state attorneys general, have pursued companies for data retention under privacy laws and other frameworks. Data minimization—collecting, using, and retaining only necessary data—should be done incrementally and thoughtfully, and if done well, can promote operational efficiency. As we have previously written, data minimization procedures can be beneficial in at least two ways. First, they reduce cyber risk by eliminating unnecessary data, including personal data. In addition, data minimization practices may reduce regulatory scrutiny by showing an effort to reduce the amount of sensitive data that an organization collects and maintains.
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E.