In connection with several data breaches affecting hundreds of millions of hotel guests, Marriott will settle outstanding investigations with federal and state regulators for $52M and must also greatly beef up its security practices in Marriott's portfolio of hotels. The company also faces class action claims relating to the breaches, which took place over several years and involved such information as the numbers on guest passports and credit cards.
WHY IT MATTERS
The size of the financial penalties here would cripple most organizations, but it is the new security commitments that probably matter most. They signal what regulators view as current best practices for handling consumer data. Regulators will require that the highest levels of Marriott management be involved in privacy and security matters; that consumers be given easy tools for managing their data; that the company practice good security hygiene including by patching and upgrading systems promptly; and that the company institute a new security program that includes enhanced employee training as well as incorporate concepts of data minimization, vendor management, and security assessments, among other principles and practices. The requirements also include a commitment to address security gaps in any target company that Marriott acquires hereafter. These are significant commitments and are likely to feature in regulatory mandates for other companies in the future.
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-10-08-20-18-17-217-67059389d557bfb2a7f6d647.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-10-04-14-24-20-371-66fffa940a67f0e9237560ee.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-10-04-15-32-36-972-67000a94e97233f59480227b.jpg)