On October 9, 2024, the Federal Trade Commission (FTC) and state attorneys general (AGs) from 49 states and the District of Columbia announced a pair of parallel settlements with Marriott International Inc., resolving liability for a series of three data breaches from 2014 to 2020 and allegedly involving 344 million customers worldwide. The commission voted 3–0–2 along party lines to issue the administrative complaint and accept the consent agreement; both Republican commissioners were recused.
The settlement resolved liability for a series of three data breaches including two breaches involving Starwood that began before its acquisition by Marriott. Although the FTC lacks authority to impose monetary penalties for the breaches, the state AGs reached a $52 million settlement with the hotel brand.
Factual Background
According to the FTC’s administrative complaint, Marriott and Starwood Hotels & Resorts Worldwide LLC, which Marriott acquired in 2016, failed to implement reasonable data security practices, leading to three large data breaches from 2014 to 2020. Notably, the FTC complaint recited the timeline for the due diligence and acquisition of Starwood by Marriott as the basis for holding Marriott responsible for Starwood’s information security environment and pre-acquisition security incidents for the purposes of resolving the action.
Specifically, the FTC alleged that Marriott had extensive visibility into and awareness of Starwood’s information security environment during the due diligence phase, pre-transaction period, and post-closing, and noted the incident was not reported by Starwood until after the transaction closed. Not surprisingly, the FTC complaint also alleged that Marriott became responsible for all Starwood systems following the acquisition and was ultimately responsible for the failure to detect additional incidents. Starwood’s preexisting data security practices led to two security breaches in June 2014 and July 2014 that went undetected for many years.
- The June 2014 breach of Starwood systems continued undetected for 14 months and involved payment card information for more than 40,000 Starwood customers, according to the FTC’s complaint.
- The second alleged Starwood breach, which occurred between July 2014 and September 2018, allegedly involved guest account records for 339 million Starwood customers worldwide and 5.25 million unencrypted passport numbers. This unauthorized activity went undetected by Marriott until September 2018, according to the FTC’s complaint.
- The third breach, which impacted Marriott’s network, occurred in September 2018 and allegedly involved the unauthorized access of 5.2 million guest records. The September 2018 breach went undetected until February 2020, according to the FTC’s complaint.
FTC Settlement Terms
The FTC settlement with Marriott and Starwood includes a number of provisions providing rights to consumers. Under the agreement, consumers can request a review of unauthorized activity in their loyalty rewards accounts, and Marriott and Starwood are obligated to restore any loyalty points stolen by malicious actors. Additionally, customers must be provided with a link to request deletion of personal information associated with their customer account or email address.
The settlement mandates that Marriott and Starwood implement a comprehensive written-information security program and data minimization practices. As a part of this program, Marriott and Starwood must test and monitor the effectiveness of its safeguards at least annually and within 120 days following any future incidents that legally require notification.
Among other prescriptive provisions and undertakings, Marriott and Starwood must cooperate with and undergo biennial information security assessments by an independent third party for 20 years. They must establish protocols that give Marriott and Starwood increased oversight over vendors and franchisees so they can adequately safeguard the personal information they access or receive. Marriott and Starwood are prohibited from making misrepresentations regarding their privacy and security practices. Finally, the Marriott and Starwood CEO must submit a written certification of compliance with the undertakings to the FTC annually. Violation of any provisions of the order could subject Marriot and Starwood to significant monetary penalties.
State AGs Settlement
In parallel with the FTC’s settlement announcements, a coalition of state AGs, which included the District of Columbia and every U.S. state except California, announced its own settlement with Marriott to resolve liability stemming from the same three data breaches. The settlement includes a cumulative $52 million in penalties, which are distributed across the relevant states. Its requirements largely mirror that of the FTC settlement. Unique to the AGs settlement is Marriot’s obligation to conduct risk assessments for “Critical IT Vendors.”
Limited FTC Enforcement
While the FTC can seek civil penalties and consumer redress for violations of the certain laws and rules it enforces, following the landmark AMG Capital decision, the Supreme Court severely hamstrung the FTC’s ability to seek monetary remedies for violations of the FTC Act, including data security violations. As a result, the FTC has sought out creative workarounds. Partnering with state AGs has been a common solution.
One of the most notable aspects of the FTC’s announcement in this case was the explicit statement that “[t]he FTC does not have legal authority to obtain civil penalties in this case.” Statements like this have become increasingly common in FTC settlements that rely on the enforcement authority of the state AGs to collect monetary penalties in cases where it cannot, as the FTC signals to Congress that legislation is needed to replenish its enforcement arsenal. Until Congress acts, expect the FTC to continue to coordinate with state AGs and use the states’ independent financial penalty authority to negotiate settlements in cases where the FTC can’t bring its own penalties or seek redress for harmed consumers. In the meantime, the FTC continues to use its rulemaking authority to attempt to broaden its ability to collect penalties against companies that fail to abide by those rules, including companies that suffer a data breach. The FTC’s expected proposed rulemaking on commercial surveillance and data security would specifically apply to the conduct alleged in the FTC’s complaint.
Takeaways
- Heightened Risk to Due Diligence. Companies should be aware of the potential liability for pre-acquisition data security incidents or insufficient data security controls and bolster information security reviews in due diligence efforts. The FTC has made clear that an acquired company should be brought on board securely, and that an acquirer may be liable for pre-closing practices of the acquiree. Post-acquisition, companies should consider scrutinizing the target’s information security program and factor that assessment into whether and how to expedite integration.
- Importance of Comprehensive Written-Information Security Programs. The FTC has effectively doubled down on its preexisting standards for a written-information security program supported by periodic risk assessments as the basis to implement and maintain appropriate technical, administrative, and physical controls. The order highlights access controls, software updates, employee training, data minimization practices, vendor oversight, and the importance of regularly updating and testing security protocols to identify and address vulnerabilities and keep up with evolving threats.
- Revisit Incident Detection, Escalation, and Response Procedures. Review and consider enhancements to implement and maintain a robust incident response plan that allows for timely incident detection, internal reporting and escalation, and response. Incidents that go undetected for longer periods of time are likely to be viewed unfavorably by both federal and state regulators. The FTC’s Health Breach Notification Rule, which took effect on July 29, 2024 and applies broadly to protected health records, requires covered entities to notify the FTC within 60 days of discovering a breach involving 500 or more individuals, contemporaneously with notifying affected individuals and the media. The Safeguards Rule, which applies to nonbanking financial institutions, requires notifying the FTC within 30 days of discovery of the notification event. Incident response plans should be updated to account for these timelines.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.
If you have any questions, or would like additional information, please contact one of the attorneys on our Consumer Protection/FTC Team or one of the attorneys on our Privacy, Cyber & Data Security Team.