Risk Assessment Could Have Prevented Marriott $52M Fine
Oct. 10, 2024
The $52 million settlement between the Federal Trade Commission and Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide, LLC over data security failures led to at least three data breaches between 2014 and 2020.
A simple cybersecurity risk assessment (CSRA) could have prevented the breach. Here’s how:
- Identifying Vulnerabilities: A thorough risk assessment identifies vulnerabilities within an organization’s systems and networks. By pinpointing these weaknesses, organizations can take proactive measures to mitigate them before they are exploited.
- Operational Disruptions: The breach disrupted First American’s operations, affecting homebuyers, sellers, and appraisers across more than 2,000 locations during the holiday season. Closings were derailed, funds became inaccessible, and disbursements were delayed.
- Implementing Controls: Based on the findings of a risk assessment, organizations can implement appropriate security controls, such as enhanced multi-factor authentication, advanced threat detection systems, and regular security audits.
- Compliance and Best Practices: Conducting risk assessments ensures compliance with regulatory requirements and adherence to cybersecurity best practices, further strengthening the organization’s defenses.
By systematically identifying and addressing potential risks, a cybersecurity risk assessment can significantly reduce the likelihood of a breach and minimize its impact if one occurs.
Significant FTC Enforcement
Overall, the Marriott-Starwood settlement demonstrates the FTC's willingness to take strong enforcement action against companies that fail to safeguard consumer data, even for well-established brands. It highlights the critical importance of proactive, comprehensive cybersecurity measures for businesses that collect and store personal information.
The main requirements of the proposed order that Marriott and Starwood have agreed to settle the FTC's case include implementing processes and checks designed to prevent future problems by protecting personal information, detecting problems as they arise, and fixing any issues in a timely manner. Additionally, Marriott has agreed to pay $52 million as part of related settlements with state enforcers.
The settlement is significant for these reasons:
- Scale of the data breaches: The breaches impacted hundreds of millions of consumer records, including sensitive information like passport numbers and payment card details. The massive scale of the data compromised highlights the serious nature of the security failures.
- Repeated security lapses: The settlement covers multiple data breaches that occurred over several years, indicating Marriott and Starwood struggled to properly secure customer data and address vulnerabilities in their systems. This pattern of recurring breaches is concerning.
- Emphasis on proactive security measures: The proposed order requires Marriott and Starwood to implement robust processes for protecting personal information, detecting security issues, and promptly fixing problems. This signals the FTC's focus on pushing companies to take a more proactive, comprehensive approach to data security.
- Significant financial penalty: The $52 million payment as part of the state settlements underscores the gravity of the FTC's findings and the consequences for Marriott's security failures. Large financial penalties can incentivize companies to prioritize data protection.
- Broader implications for the hospitality industry: As a major hotel chain, Marriott's settlement sets an important precedent for data security standards and expectations in the hospitality sector, which handles large volumes of sensitive customer information.
The key lessons for businesses that can be learned from the Marriott data breach case include the importance of collecting and keeping only the data needed, exercising vendor oversight, addressing security issues when acquiring another company, and implementing processes and checks to protect personal information, detect problems, and fix any issues in a timely manner.
Schedule a Cybersecurity Risk Assessment
If you’re concerned about safeguarding your organization against unexpected breaches, consider a Cybersecurity Risk Assessment from STACK Cybersecurity. These assessments play a crucial role in identifying vulnerabilities and enhancing security measures.
Schedule a cybersecurity assessment to fortify your defenses and protect your organization’s valuable assets. Call (734) 744-5300 or Contact Us.