Marriott International has agreed to pay a huge sum to settle cybersecurity-related charges brought by the US Federal Trade Commission (FTC).
Fines aside, it also agreed to implement a more robust IT program and grant its customers better ways to manage their data, following multiple data breaches over the last ten years that have resulted in millions of customer data records being exposed, stolen, and otherwise compromised.
The FTC also argued that Marriott tried to hide the fact that it suffered the breaches, and “deceived consumers by claiming to have reasonable and appropriate data security.”
Robust IT infrastructure
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
The hospitality chain was charged by the FTC, and after years of back-and-forth, agreed to settle the charges by making certain changes to its systems, and paying a fine. That being said, Marriott agreed to pay a $52 million penalty to 49 states and the District of Columbia.
Furthermore, it will have to implement significant changes to its IT practices: it will have to tell the customers why it’s collecting their data, and is allowed to retain it for only as long as reasonably necessary; it will have to establish, implement and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years; it will have to allow consumers to review unauthorized activity in their Marriott Bonvoy loyalty rewards accounts; it will have to restore any loyalty points stolen by malicious actors and ultimately – it will have to must provide a link for customers to request deletion of their personal data.