Marriott International, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

SUPPLEMENTARY INFORMATION:

Pursuant to section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule § 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of 30 days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained at https://www.ftc.gov/news-events/commission-actions.

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before November 12, 2024. Write “Marriott and Starwood; File No. 192 3022” on your comment. Your comment—including your name and your State—will be placed on the public record of this proceeding, including, to the extent practicable, on the https://www.regulations.gov website.

Because of heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https://www.regulations.gov website. If you prefer to file your comment on paper, write “Marriott and Starwood; File No. 192 3022” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 (Annex L), Washington, DC 20580.

Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other State identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule § 4.10(a)(2), 16 CFR 4.10(a)(2)—including competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule § 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule § 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https://www.regulations.gov website—as legally required by FTC Rule § 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule § 4.9(c), and the General Counsel grants that request.

Visit the FTC website at https://www.ftc.gov to read this document and the news release describing the proposed settlement. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments it receives on or before November 12, 2024. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

The Federal Trade Commission (the “Commission”) has accepted, subject to final approval, an agreement containing consent order from Marriott International, Inc. (“Marriott”) and Starwood Hotels & Resorts Worldwide, LLC (“Starwood” or collectively, “Respondents”). The proposed consent order (“Proposed Order”) has been placed on the public record for 30 days for receipt of comments from interested persons. Comments received during this period will become part of the public record. After 30 days, the Commission will again review the agreement, along with any comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the Proposed Order.

Marriott is a multinational hospitality company that manages and franchises hotels and related lodging facilities, including 30 brands and more than 7,000 properties throughout the United States and across 131 countries and territories. On or about November 16, 2015, Marriott announced that it would acquire Starwood, and on or about September 23, 2016, Starwood became a wholly owned subsidiary of Marriott. With the acquisition of Starwood, Marriott became the largest hotel chain in the world at that time, with more than 1.1 million hotel rooms, accounting for one out of every fifteen hotel rooms worldwide.

After Marriott's acquisition of Starwood, Marriott took control of Starwood's computer network and has been responsible for establishing, reviewing, and implementing the information security practices for both Marriott and Starwood. Additionally, Marriott commenced a two-year process to integrate some Starwood systems into the Marriott network. Marriott fully integrated those Starwood systems into its own network by December 2018.

According to the FTC's Complaint, Respondents suffered at least three distinct data security breaches over the course of several years. Starwood informed customers of the first breach just four days after the announcement of Marriott's acquisition of Starwood. This breach allowed intruders to compromise Starwood's point-of-sale systems and gain access to more than 40,000 customer payment cards over the course of 14 months.

The second breach began on or around July 28, 2014, and involved a breach of a Starwood guest reservation database. This breach went undetected for four years—during which Marriott had responsibility for Starwood's information security practices and network following the acquisition. Forensic examiners, retained by Marriott in September 2018, identified similar failures that resulted in the first breach, including: inadequate firewall controls, unencrypted payment card information stored outside of the secure cardholder data environment, lack of multifactor authentication, and inadequate monitoring and logging practices. As a result of the second breach, intruders compromised the personal information of 339 million Starwood guest records and 5.25 million unencrypted passport numbers worldwide. Additional compromised information from the Starwood guest reservation database included: names, dates of birth, payment card numbers, addresses, email addresses, telephone numbers, usernames, Starwood loyalty numbers, and partner loyalty program numbers.

As to the third breach, Marriott announced in March 2020 that malicious actors had compromised the credentials of employees at a Marriott-franchised property to gain access to Marriott's own network The intruders began accessing and exporting consumers' personal information without detection from September 2018—the same month that Marriott became aware of the second breach—to December 2018 and resumed in January 2020 and continued until they were ultimately discovered in February 2020. The intruders were able to access more than 5.2 million guest records, including 1.8 million records related to U.S. consumers, that contained significant amounts of personal information, including: names, mailing addresses, email addresses, phone numbers, affiliated companies, gender, month and day of birth, Marriott loyalty account information, partner loyalty program numbers, and hotel stay and room preferences. Marriott's internal investigation confirmed that the malicious actors' main purpose for searching, accessing, and exporting guest records was to identify loyalty accounts with sufficient loyalty points to be either used or redeemed, including for booking stays at hotel properties.

The Commission's proposed two-count complaint alleges that Respondents violated section 5(a) of the FTC Act by: (1) deceiving customers by representing in each of their privacy policies that they used reasonable and appropriate safeguards to protect consumers' personal and financial information; and (2) failing to employ reasonable security measures to protect consumers' personal information. With respect to these counts, the proposed complaint alleges that Respondents:

• failed to implement appropriate password controls, which resulted in employees often using default, blank or weak passwords;
• failed to patch outdated software and systems in a timely manner;
• failed to adequately monitor and log network environments, limiting the ability to detect malicious actors and distinguish between authorized and unauthorized activity;
• failed to implement appropriate access controls;
• failed to implement appropriate firewall controls;
• failed to implement appropriate network segmentation to prevent attackers from moving freely across its networks and databases; and
• failed to apply adequate multifactor authentication to protect sensitive information.

The proposed complaint alleges, with respect to the second count above, that Respondents' failure to employ reasonable security measures to protect consumers' personal information caused, or is likely to cause, substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. Such practices constitute unfair acts or practices under section 5 of the FTC Act.

The Proposed Order contains injunctive relief designed to prevent Respondents from engaging in the same or similar acts or practices in the future. Part I prohibits Respondents from misrepresenting in any manner, expressly or by implication: (1) Respondents' collection, maintenance, use, deletion, or disclose consumers' personal information; and (2) the extent to which Respondents protect the privacy, security, availability, confidentiality, or integrity of consumers' personal information. Part II requires that Respondents establish, implement, and document a comprehensive information security program. The program must include specific safeguards tailored to Respondents' previous data security shortcomings.

Parts III-VI require Respondents to obtain initial and biennial information security assessments by an independent, third-party professional for 20 years (part III), cooperate with the independent assessor (part IV), provide the Commission with a certification of compliance with the Order from Respondents' CEO (part V), and submit reports to the Commission if they suffer additional data incidents (part VI).

Part VII requires Respondents to provide a Clear and Conspicuous method by which U.S. consumers can request that Respondents review the deletion of personal information associated with an email address and/or Loyalty Rewards Program account number. Part VIII requires Respondents to provide a link on their website and mobile app where all U.S. consumers may request deletion of Personal Information associated with an email address and/or Loyalty Rewards Program account number.

Parts IX-XII are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring Respondents to provide information or documents necessary for the Commission to monitor compliance. Part XIII states that the Proposed Order will remain in effect for 20 years, with certain exceptions.

The purpose of this analysis is to facilitate public comment on the Proposed Order, and it is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify the Proposed Order's terms in any way.

[FR Doc. 2024-23283 Filed 10-10-24; 8:45 am]

BILLING CODE 6750-01-P