Marriott Settles Huge Privacy Case
Marriott International has reached a settlement with state and federal regulators over repeated privacy breaches the hotel chain suffered in the 2010s, where Marriott will pay $52 million states across the country and implement a raft of cybersecurity improvements under the watchful eye of the Federal Trade Commission.
The FTC and state attorneys general announced the settlement today. As usual the details offer a blueprint of data privacy protections that CISOs, privacy officers, and other compliance professionals will want to read closely; so that you can better understand how well your own compliance program does or doesn’t meet current regulatory expectations.
The history of Marriott’s privacy breaches makes for painful reading. The failures actually began at Starwood Hotels & Resorts back in 2014, before Marriott acquired Starwood in 2016. That breach went undetected for 14 months until Starwood notified customers in November 2015, just four days after Marriott announced it was acquiring Starwood.
Then came another breach, which also started at Starwood in 2014 but went undetected until September 2018 — two years after Marriott closed its Starwood acquisition. In this breach hackers accessed 339 million Starwood guest account records, including 5.25 million unencrypted passport numbers. Ultimately the hackers planted malware on 58 Starwood locations, from corporate HQ to data centers to customer call centers to individual hotel properties.
A third and final breach happened from September 2018 until February 2020, this time on Marriott’s own network. Hackers accessed 5.2 million guest records worldwide, including data from 1.8 million Americans. The compromised records included names, mailing addresses, email addresses, phone numbers, dates of birth, and loyalty account information.
In other words, this was a huge and long-running mess, one where Marriott bungled just about every element of a successful compliance program: due diligence, risk assessment, privacy controls, third-party risk management, and more.
What Marriott Must Do Now
As usual with these FTC settlements, Marriott has agreed to make numerous improvements to its data privacy program and to independent reviews of its privacy program for the next 20 years.
Some of the improvements are the generic measures we’ve seen in previous FTC settlements for data privacy, such as (1) adopting a written information security program; (2) designating a specific person to be responsible for that program; and (3) risk assessments at least annually, and within 120 days of any serious breach, to see whether the program needs to be updated.
Then comes a long list of more specific safeguards that Marriott needs to implement too. This is the stuff that should have CISOs, internal auditors, and compliance officers sitting up and paying attention.
- Annual security training for all employees who have access to personal information on any Marriott IT asset, which presumably will be just about everybody at the company. The training must be role-based, rather than universal security training for everybody.
- A written incident response plan, so that everybody knows who does what tasks to identify and respond to a breach of personal data.
- Strong access controls for all Marriott employees, as well as any vendors who have access to Marriott customer data. This is where we get the nitty-gritty stuff, such as tight controls for password complexity, password reset procedures, and the using the “principle of least privilege” for employee access to customer data.
- Multi-factor authentication requirements for all Marriott employees and vendors who might access corporate systems remotely.
- Network segmentation, to help keep a breach contained when one does occur. Moreover, Marriott shouldn’t introduce new operating systems or devices to a network segment unless those new IT assets meet strong configuration standards.
- Scanning tools, to scan Marriott’s entire IT environment and identify any IT assets that contain personal data.
- Patch management systems to assure that when a network vulnerability is discovered, Marriott’s IT team can patch that weakness with appropriate speed and across the enterprise as necessary.
And since two of these breaches happened at an acquisition target (Starwood), which Marriott then didn’t detect, the company must also perform extensive due diligence on new acquisitions to sniff out potential security threats. Then Marriott needs to develop a plan to remedy those issues before the acquisition target is integrated into Marriott’s larger IT environment.
Plus annual testing, as well as an independent security assessment done by a third party every other year for the next 20 years.
That’s a lot, and I’m sure Marriott has already done at least some of this work. (Indeed, in a prepared statement, Marriott said it will “continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress.”)
My point is simply that if you’re a CISO or internal auditor who wants to understand what regulators expect for effective security and privacy compliance programs these days, resolutions such as the Marriott settlement are a solid roadmap to follow.
So How Do You Follow It?
Well that’s the better question to ask, isn’t it? For large enterprises such as Marriott, the steps mentioned above don’t break any new ground; they’re common sense stuff that any CISO or internal auditor probably wants to see in place.
The real question is how to assure you actually have those measures in place, and they actually work. For an example of how difficult this can be, look no further than UnitedHealth and the disastrous ransomware attack it suffered this year, likely to cost the company more than $2 billion. The attack happened because someone forgot to implement multi-factor authentication on a critical server at Change Healthcare, a business UnitedHealth acquired in 2022. So how did a large, sophisticated business like UnitedHealth not notice a material risk in one of its subsidiaries for more than a year?
That’s the challenge here. Firms need the right tools, processes, and people to assess security risk, identify necessary remediation steps, and then confirm that those steps are taken in a timely manner. Plenty of vendors offer such tools — mapping risks and remediation to various security frameworks; alerting people when tasks aren’t done, and so forth. So has your company implemented one of those tools, or invented homegrown technology to do the same? Are you testing those processes to be sure they work?
Also, who are the people at your enterprise doing this work? Have their roles and responsibilities been defined clearly? Does audit have necessary manpower and expertise to work with the IT security team? Does the privacy compliance team work closely with IT security to define the safeguards your company has in place and the compliance posture you need to achieve?
Those are the security and privacy challenges of today. Marriott’s settlement is just the latest cautionary tale in what happens if you don’t get it right.