Marriott International, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

Issuing agencies

Abstract

The consent agreement in this matter settles alleged violations of Federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

Full Text

<html>
<head>
<title>Federal Register, Volume 89 Issue 198 (Friday, October 11, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 198 (Friday, October 11, 2024)]
[Notices]
[Pages 82609-82611]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-23283]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 192 3022]


Marriott International, Inc.; Analysis of Proposed Consent Order 
To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

[[Page 82610]]

SUMMARY: The consent agreement in this matter settles alleged 
violations of Federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis of Proposed Consent Order to Aid 
Public Comment describes both the allegations in the complaint and the 
terms of the consent order--embodied in the consent agreement--that 
would settle these allegations.

DATES: Comments must be received on or before November 12, 2024.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``Marriott and 
Starwood; File No. 192 3022'' on your comment and file your comment 
online at <a href="https://www.regulations.gov">https://www.regulations.gov</a> by following the instructions on 
the web-based form. If you prefer to file your comment on paper, please 
mail your comment to the following address: Federal Trade Commission, 
Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 
(Annex L), Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Katherine McCarron, Attorney, Division 
of Privacy and Identity Protection, Bureau of Consumer Protection, 
Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 
20580, <a href="/cdn-cgi/l/email-protection#dcb7b1bfbfbdaeaeb3b29cbaa8bff2bbb3aa"><span class="__cf_email__" data-cfemail="93f8fef0f0f2e1e1fcfdd3f5e7f0bdf4fce5">[email&#160;protected]</span></a>, (202-326-2333).

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule Sec.  2.34, 16 CFR 
2.34, notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of 30 days. The following 
Analysis to Aid Public Comment describes the terms of the consent 
agreement and the allegations in the complaint. An electronic copy of 
the full text of the consent agreement package can be obtained at 
<a href="https://www.ftc.gov/news-events/commission-actions">https://www.ftc.gov/news-events/commission-actions</a>.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before November 12, 
2024. Write ``Marriott and Starwood; File No. 192 3022'' on your 
comment. Your comment--including your name and your State--will be 
placed on the public record of this proceeding, including, to the 
extent practicable, on the <a href="https://www.regulations.gov">https://www.regulations.gov</a> website.
    Because of heightened security screening, postal mail addressed to 
the Commission will be subject to delay. We strongly encourage you to 
submit your comments online through the <a href="https://www.regulations.gov">https://www.regulations.gov</a> 
website. If you prefer to file your comment on paper, write ``Marriott 
and Starwood; File No. 192 3022'' on your comment and on the envelope, 
and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail 
Stop H-144 (Annex L), Washington, DC 20580.
    Because your comment will be placed on the publicly accessible 
website at <a href="https://www.regulations.gov">https://www.regulations.gov</a>, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other State 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule Sec.  
4.10(a)(2), 16 CFR 4.10(a)(2)--including competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule Sec.  4.9(c). In 
particular, the written request for confidential treatment that 
accompanies the comment must include the factual and legal basis for 
the request and must identify the specific portions of the comment to 
be withheld from the public record. See FTC Rule Sec.  4.9(c). Your 
comment will be kept confidential only if the General Counsel grants 
your request in accordance with the law and the public interest. Once 
your comment has been posted on the <a href="https://www.regulations.gov">https://www.regulations.gov</a> 
website--as legally required by FTC Rule Sec.  4.9(b)--we cannot redact 
or remove your comment from that website, unless you submit a 
confidentiality request that meets the requirements for such treatment 
under FTC Rule Sec.  4.9(c), and the General Counsel grants that 
request.
    Visit the FTC website at <a href="https://www.ftc.gov">https://www.ftc.gov</a> to read this document 
and the news release describing the proposed settlement. The FTC Act 
and other laws the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
it receives on or before November 12, 2024. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see <a href="https://www.ftc.gov/site-information/privacy-policy">https://www.ftc.gov/site-information/privacy-policy</a>.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (the ``Commission'') has accepted, 
subject to final approval, an agreement containing consent order from 
Marriott International, Inc. (``Marriott'') and Starwood Hotels & 
Resorts Worldwide, LLC (``Starwood'' or collectively, ``Respondents''). 
The proposed consent order (``Proposed Order'') has been placed on the 
public record for 30 days for receipt of comments from interested 
persons. Comments received during this period will become part of the 
public record. After 30 days, the Commission will again review the 
agreement, along with any comments received, and will decide whether it 
should withdraw from the agreement and take appropriate action or make 
final the Proposed Order.
    Marriott is a multinational hospitality company that manages and 
franchises hotels and related lodging facilities, including 30 brands 
and more than 7,000 properties throughout the United States and across 
131 countries and territories. On or about November 16, 2015, Marriott 
announced that it would acquire Starwood, and on or about September 23, 
2016, Starwood became a wholly owned subsidiary of Marriott. With the 
acquisition of Starwood, Marriott became the largest hotel chain in the 
world at that time, with more than 1.1 million hotel rooms, accounting 
for one out of every fifteen hotel rooms worldwide.
    After Marriott's acquisition of Starwood, Marriott took control of 
Starwood's computer network and has been responsible for establishing, 
reviewing, and implementing the information security practices for both 
Marriott and Starwood. Additionally, Marriott commenced a two-year 
process to integrate some Starwood systems into the Marriott network. 
Marriott fully integrated those Starwood systems into its own network 
by December 2018.
    According to the FTC's Complaint, Respondents suffered at least 
three

[[Page 82611]]

distinct data security breaches over the course of several years. 
Starwood informed customers of the first breach just four days after 
the announcement of Marriott's acquisition of Starwood. This breach 
allowed intruders to compromise Starwood's point-of-sale systems and 
gain access to more than 40,000 customer payment cards over the course 
of 14 months.
    The second breach began on or around July 28, 2014, and involved a 
breach of a Starwood guest reservation database. This breach went 
undetected for four years--during which Marriott had responsibility for 
Starwood's information security practices and network following the 
acquisition. Forensic examiners, retained by Marriott in September 
2018, identified similar failures that resulted in the first breach, 
including: inadequate firewall controls, unencrypted payment card 
information stored outside of the secure cardholder data environment, 
lack of multifactor authentication, and inadequate monitoring and 
logging practices. As a result of the second breach, intruders 
compromised the personal information of 339 million Starwood guest 
records and 5.25 million unencrypted passport numbers worldwide. 
Additional compromised information from the Starwood guest reservation 
database included: names, dates of birth, payment card numbers, 
addresses, email addresses, telephone numbers, usernames, Starwood 
loyalty numbers, and partner loyalty program numbers.
    As to the third breach, Marriott announced in March 2020 that 
malicious actors had compromised the credentials of employees at a 
Marriott-franchised property to gain access to Marriott's own network 
The intruders began accessing and exporting consumers' personal 
information without detection from September 2018--the same month that 
Marriott became aware of the second breach--to December 2018 and 
resumed in January 2020 and continued until they were ultimately 
discovered in February 2020. The intruders were able to access more 
than 5.2 million guest records, including 1.8 million records related 
to U.S. consumers, that contained significant amounts of personal 
information, including: names, mailing addresses, email addresses, 
phone numbers, affiliated companies, gender, month and day of birth, 
Marriott loyalty account information, partner loyalty program numbers, 
and hotel stay and room preferences. Marriott's internal investigation 
confirmed that the malicious actors' main purpose for searching, 
accessing, and exporting guest records was to identify loyalty accounts 
with sufficient loyalty points to be either used or redeemed, including 
for booking stays at hotel properties.
    The Commission's proposed two-count complaint alleges that 
Respondents violated section 5(a) of the FTC Act by: (1) deceiving 
customers by representing in each of their privacy policies that they 
used reasonable and appropriate safeguards to protect consumers' 
personal and financial information; and (2) failing to employ 
reasonable security measures to protect consumers' personal 
information. With respect to these counts, the proposed complaint 
alleges that Respondents:
    <bullet> failed to implement appropriate password controls, which 
resulted in employees often using default, blank or weak passwords;
    <bullet> failed to patch outdated software and systems in a timely 
manner;
    <bullet> failed to adequately monitor and log network environments, 
limiting the ability to detect malicious actors and distinguish between 
authorized and unauthorized activity;
    <bullet> failed to implement appropriate access controls;
    <bullet> failed to implement appropriate firewall controls;
    <bullet> failed to implement appropriate network segmentation to 
prevent attackers from moving freely across its networks and databases; 
and
    <bullet> failed to apply adequate multifactor authentication to 
protect sensitive information.
    The proposed complaint alleges, with respect to the second count 
above, that Respondents' failure to employ reasonable security measures 
to protect consumers' personal information caused, or is likely to 
cause, substantial injury to consumers that is not outweighed by 
countervailing benefits to consumers or competition and is not 
reasonably avoidable by consumers themselves. Such practices constitute 
unfair acts or practices under section 5 of the FTC Act.
    The Proposed Order contains injunctive relief designed to prevent 
Respondents from engaging in the same or similar acts or practices in 
the future. Part I prohibits Respondents from misrepresenting in any 
manner, expressly or by implication: (1) Respondents' collection, 
maintenance, use, deletion, or disclose consumers' personal 
information; and (2) the extent to which Respondents protect the 
privacy, security, availability, confidentiality, or integrity of 
consumers' personal information. Part II requires that Respondents 
establish, implement, and document a comprehensive information security 
program. The program must include specific safeguards tailored to 
Respondents' previous data security shortcomings.
    Parts III-VI require Respondents to obtain initial and biennial 
information security assessments by an independent, third-party 
professional for 20 years (part III), cooperate with the independent 
assessor (part IV), provide the Commission with a certification of 
compliance with the Order from Respondents' CEO (part V), and submit 
reports to the Commission if they suffer additional data incidents 
(part VI).
    Part VII requires Respondents to provide a Clear and Conspicuous 
method by which U.S. consumers can request that Respondents review the 
deletion of personal information associated with an email address and/
or Loyalty Rewards Program account number. Part VIII requires 
Respondents to provide a link on their website and mobile app where all 
U.S. consumers may request deletion of Personal Information associated 
with an email address and/or Loyalty Rewards Program account number.
    Parts IX-XII are reporting and compliance provisions, which include 
recordkeeping requirements and provisions requiring Respondents to 
provide information or documents necessary for the Commission to 
monitor compliance. Part XIII states that the Proposed Order will 
remain in effect for 20 years, with certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
Proposed Order, and it is not intended to constitute an official 
interpretation of the complaint or Proposed Order, or to modify the 
Proposed Order's terms in any way.

    By direction of the Commission, Commissioners Holyoak and 
Ferguson recused.
April J. Tabor,
Secretary.
[FR Doc. 2024-23283 Filed 10-10-24; 8:45 am]
BILLING CODE 6750-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>