Overview

• Marriott International has agreed to a $52 million settlement to resolve allegations of inadequate data security practices leading to multiple breaches between 2014 and 2020.
• The Federal Trade Commission and a coalition of 49 state attorneys general conducted parallel investigations into the breaches, which compromised sensitive information including passport and payment card data.
• As part of the settlement, Marriott must implement a comprehensive information security program and provide U.S. customers the option to delete personal data linked to their accounts.
• The breaches primarily stemmed from security failures at Starwood Hotels, acquired by Marriott in 2016, exposing the data of hundreds of millions of guests worldwide.
• Despite the settlement, Marriott made no admission of liability, but has committed to enhancing its cybersecurity measures to prevent future incidents.