Overview

• The FTC finalized an order requiring Marriott and Starwood to strengthen their data security after three breaches from 2014 to 2020 impacted 344 million customers globally.
• Exposed data included passport numbers, payment card details, and personal information, with some breaches lasting years before detection.
• The mandated changes include creating a comprehensive security program, implementing multi-factor authentication, and monitoring IT assets for anomalies within 24 hours.
• Marriott must allow U.S. customers to request the deletion of their personal data and restore loyalty points lost in breaches.
• The order, effective December 20, 2024, requires compliance within 180 days and will remain enforceable for 20 years, with regular independent assessments.