Executive Summary
Our Consumer Protection/FTC and Privacy, Cyber & Data Strategy teams unpack Starwood Hotels' and Marriott International's settlements with the Federal Trade Commission and Marriott's settlement with state attorneys general over three data breaches.
- Highlights companies' potential liability for acquired entities' prior data security incidents or insufficient data security controls
- Emphasizes the importance of regularly updating and testing written-information security programs to identify and address vulnerabilities
- Underscores the need to consider enhancing response plans to effectively detect, report, escalate, and respond to security incidents
On October 9, 2024, the Federal Trade Commission (FTC) and state attorneys general (AGs) from 49 states and the District of Columbia announced a pair of parallel settlements with Marriott International Inc., resolving liability for a series of three data breaches from 2014 to 2020 and allegedly involving 344 million customers worldwide. The commission voted 3–0–2 along party lines to issue the administrative complaint and accept the consent agreement; both Republican commissioners were recused.
The settlement resolved liability for a series of three data
breaches including two breaches involving Starwood that began
before its acquisition by Marriott. Although the FTC lacks
authority to impose monetary penalties for the breaches, the state
AGs reached a $52 million settlement with the hotel brand.
Factual Background
According to the FTC's administrative
complaint, Marriott and Starwood Hotels & Resorts Worldwide
LLC, which Marriott acquired in 2016, failed to implement
reasonable data security practices, leading to three large data
breaches from 2014 to 2020. Notably, the FTC complaint recited the
timeline for the due diligence and acquisition of Starwood by
Marriott as the basis for holding Marriott responsible for
Starwood's information security environment and pre-acquisition
security incidents for the purposes of resolving the action.
Specifically, the FTC alleged that Marriott had extensive visibility into and awareness of Starwood's information security environment during the due diligence phase, pre-transaction period, and post-closing, and noted the incident was not reported by Starwood until after the transaction closed. Not surprisingly, the FTC complaint also alleged that Marriott became responsible for all Starwood systems following the acquisition and was ultimately responsible for the failure to detect additional incidents. Starwood's preexisting data security practices led to two security breaches in June 2014 and July 2014 that went undetected for many years.
- The June 2014 breach of Starwood systems continued undetected for 14 months and involved payment card information for more than 40,000 Starwood customers, according to the FTC's complaint.
- The second alleged Starwood breach, which occurred between July 2014 and September 2018, allegedly involved guest account records for 339 million Starwood customers worldwide and 5.25 million unencrypted passport numbers. This unauthorized activity went undetected by Marriott until September 2018, according to the FTC's complaint.
- The third breach, which impacted Marriott's network, occurred in September 2018 and allegedly involved the unauthorized access of 5.2 million guest records. The September 2018 breach went undetected until February 2020, according to the FTC's complaint.
FTC Settlement Terms
The FTC settlement with
Marriott and Starwood includes a number of provisions providing
rights to consumers. Under the agreement, consumers can request a
review of unauthorized activity in their loyalty rewards accounts,
and Marriott and Starwood are obligated to restore any loyalty
points stolen by malicious actors. Additionally, customers must be
provided with a link to request deletion of personal information
associated with their customer account or email address.
The settlement mandates that Marriott and Starwood implement a comprehensive written-information security program and data minimization practices. As a part of this program, Marriott and Starwood must test and monitor the effectiveness of its safeguards at least annually and within 120 days following any future incidents that legally require notification.
Among other prescriptive provisions and undertakings, Marriott
and Starwood must cooperate with and undergo biennial information
security assessments by an independent third party for 20 years.
They must establish protocols that give Marriott and Starwood
increased oversight over vendors and franchisees so they can
adequately safeguard the personal information they access or
receive. Marriott and Starwood are prohibited from making
misrepresentations regarding their privacy and security practices.
Finally, the Marriott and Starwood CEO must submit a written
certification of compliance with the undertakings to the FTC
annually. Violation of any provisions of the order could subject
Marriot and Starwood to significant monetary penalties.
State AGs Settlement
In parallel with the FTC's settlement announcements, a
coalition of state AGs, which included the District of Columbia and
every U.S. state except California, announced its own
settlement with Marriott to resolve liability stemming from the
same three data breaches. The settlement includes a cumulative $52
million in penalties, which are distributed across the relevant
states. Its requirements largely mirror that of the FTC settlement.
Unique to the AGs settlement is Marriot's obligation to conduct
risk assessments for "Critical IT Vendors."
Limited FTC Enforcement
While the FTC can seek civil penalties and consumer redress for
violations of the certain laws and rules it enforces, following the
landmark AMG Capital decision, the Supreme Court severely hamstrung
the FTC's ability to seek monetary remedies for violations of
the FTC Act, including data security violations. As a result, the
FTC has sought out creative workarounds. Partnering with state AGs
has been a common solution.
One of the most notable aspects of the FTC's announcement in
this case was the explicit statement that "[t]he FTC does not
have legal authority to obtain civil penalties in this case."
Statements like this have become increasingly common in FTC
settlements that rely on the enforcement authority of the state AGs
to collect monetary penalties in cases where it cannot, as the FTC
signals to Congress that legislation is needed to replenish its
enforcement arsenal. Until Congress acts, expect the FTC to
continue to coordinate with state AGs and use the states'
independent financial penalty authority to negotiate settlements in
cases where the FTC can't bring its own penalties or seek
redress for harmed consumers. In the meantime, the FTC continues to
use its rulemaking authority to attempt to broaden its ability to
collect penalties against companies that fail to abide by those
rules, including companies that suffer a data breach. The FTC's
expected proposed
rulemaking on commercial surveillance and data security would
specifically apply to the conduct alleged in the FTC's
complaint.
Takeaways
- Heightened Risk to Due Diligence. Companies should be aware of the potential liability for pre-acquisition data security incidents or insufficient data security controls and bolster information security reviews in due diligence efforts. The FTC has made clear that an acquired company should be brought on board securely, and that an acquirer may be liable for pre-closing practices of the acquiree. Post-acquisition, companies should consider scrutinizing the target's information security program and factor that assessment into whether and how to expedite integration.
- Importance of Comprehensive Written-Information Security Programs. The FTC has effectively doubled down on its preexisting standards for a written-information security program supported by periodic risk assessments as the basis to implement and maintain appropriate technical, administrative, and physical controls. The order highlights access controls, software updates, employee training, data minimization practices, vendor oversight, and the importance of regularly updating and testing security protocols to identify and address vulnerabilities and keep up with evolving threats.
- Revisit Incident Detection, Escalation, and Response Procedures. Review and consider enhancements to implement and maintain a robust incident response plan that allows for timely incident detection, internal reporting and escalation, and response. Incidents that go undetected for longer periods of time are likely to be viewed unfavorably by both federal and state regulators. The FTC's Health Breach Notification Rule, which took effect on July 29, 2024 and applies broadly to protected health records, requires covered entities to notify the FTC within 60 days of discovering a breach involving 500 or more individuals, contemporaneously with notifying affected individuals and the media. The Safeguards Rule, which applies to nonbanking financial institutions, requires notifying the FTC within 30 days of discovery of the notification event. Incident response plans should be updated to account for these timelines.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.