Marriott International, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 82609-82611 [2024-23283]
Download as PDF
<![CDATA[
Federal Register / Vol. 89, No. 198 / Friday, October 11, 2024 / Notices
A. Federal Reserve Bank of St. Louis
(Holly A. Rieser, Senior Manager) P.O.
Box 442, St. Louis, Missouri 63166–
2034. Comments can also be sent
electronically to
Comments.applications@stls.frb.org:
1. The Gary Canada Family Trust and
the Bradley S. Canada 2020 Trust,
Bradley S. Canada, as trustee for both
Trusts, all of Little Rock, Arkansas; and
Gary R. Canada, Sr., England, Arkansas;
as a group acting in concert, to retain
voting shares of MHBC Investments
Limited Partnership I, LLLP, and
thereby indirectly retain voting shares of
Canada Bancshares, Inc., and the Bank
of England, all of England, Arkansas.
Board of Governors of the Federal Reserve
System.
Michele Taylor Fennell,
Associate Secretary of the Board.
[FR Doc. 2024–23634 Filed 10–10–24; 8:45 am]
BILLING CODE P
FEDERAL RESERVE SYSTEM
ddrumheller on DSK120RN23PROD with NOTICES1
Formations of, Acquisitions by, and
Mergers of Bank Holding Companies
The companies listed in this notice
have applied to the Board for approval,
pursuant to the Bank Holding Company
Act of 1956 (12 U.S.C. 1841 et seq.)
(BHC Act), Regulation Y (12 CFR part
225), and all other applicable statutes
and regulations to become a bank
holding company and/or to acquire the
assets or the ownership of, control of, or
the power to vote shares of a bank or
bank holding company and all of the
banks and nonbanking companies
owned by the bank holding company,
including the companies listed below.
The public portions of the
applications listed below, as well as
other related filings required by the
Board, if any, are available for
immediate inspection at the Federal
Reserve Bank(s) indicated below and at
the offices of the Board of Governors.
This information may also be obtained
on an expedited basis, upon request, by
contacting the appropriate Federal
Reserve Bank and from the Board’s
Freedom of Information Office at
https://www.federalreserve.gov/foia/
request.htm. Interested persons may
express their views in writing on the
standards enumerated in the BHC Act
(12 U.S.C. 1842(c)).
Comments received are subject to
public disclosure. In general, comments
received will be made available without
change and will not be modified to
remove personal or business
information including confidential,
contact, or other identifying
VerDate Sep<11>2014
17:15 Oct 10, 2024
Jkt 265001
information. Comments should not
include any information such as
confidential information that would not
be appropriate for public disclosure.
Comments regarding each of these
applications must be received at the
Reserve Bank indicated or the offices of
the Board of Governors, Ann E.
Misback, Secretary of the Board, 20th
Street and Constitution Avenue NW,
Washington DC 20551–0001, not later
than November 12, 2024.
A. Federal Reserve Bank of
Minneapolis (Mark Rauzi, Vice
President), 90 Hennepin Avenue,
Minneapolis, Minnesota 55480–0291.
Comments can also be sent
electronically to MA@mpls.frb.org:
1. Bravera Holdings Corp., Dickinson,
North Dakota; to acquire Vision Bank
Holdings, Inc., and thereby indirectly
acquire VISIONBank, both of Fargo,
North Dakota. In addition, Bravera
Acquisition Corp., Dickinson, North
Dakota, an interim subsidiary, to merge
with Vision Bank Holdings, Inc.,
whereby Bravera Acquisition Corp. will
be the surviving entity and a whollyowned subsidiary of Bravera Holdings
Corp. for a moment in time. Following
the interim holding company merger,
Bravera Acquisition Corp. will be
merged with and into Bravera Holdings
Corp., with Bravera Holdings Corp.
being the surviving entity.
Board of Governors of the Federal Reserve
System.
Michele Taylor Fennell,
Associate Secretary of the Board.
[FR Doc. 2024–23635 Filed 10–10–24; 8:45 am]
BILLING CODE P
FEDERAL RESERVE SYSTEM
Notice of Proposals To Engage in or
To Acquire Companies Engaged in
Permissible Nonbanking Activities
The companies listed in this notice
have given notice under section 4 of the
Bank Holding Company Act (12 U.S.C.
1843) (BHC Act) and Regulation Y, (12
CFR part 225) to engage de novo, or to
acquire or control voting securities or
assets of a company, including the
companies listed below, that engages
either directly or through a subsidiary or
other company, in a nonbanking activity
that is listed in § 225.28 of Regulation Y
(12 CFR 225.28) or that the Board has
determined by Order to be closely
related to banking and permissible for
bank holding companies. Unless
otherwise noted, these activities will be
conducted throughout the United States.
The public portions of the
applications listed below, as well as
other related filings required by the
PO 00000
Frm 00045
Fmt 4703
Sfmt 4703
82609
Board, if any, are available for
immediate inspection at the Federal
Reserve Bank(s) indicated below and at
the offices of the Board of Governors.
This information may also be obtained
on an expedited basis, upon request, by
contacting the appropriate Federal
Reserve Bank and from the Board’s
Freedom of Information Office at
https://www.federalreserve.gov/foia/
request.htm. Interested persons may
express their views in writing on the
question whether the proposal complies
with the standards of section 4 of the
BHC Act.
Comments received are subject to
public disclosure. In general, comments
received will be made available without
change and will not be modified to
remove personal or business
information including confidential,
contact, or other identifying
information. Comments should not
include any information such as
confidential information that would not
be appropriate for public disclosure.
Unless otherwise noted, comments
regarding the applications must be
received at the Reserve Bank indicated
or the offices of the Board of Governors,
Ann E. Misback, Secretary of the Board,
20th Street and Constitution Avenue
NW, Washington, DC 20551–0001, not
later than November 12, 2024.
A. Federal Reserve Bank of New York
(Bank Applications Officer) 33 Liberty
Street, New York, New York 10045–
0001. Comments can also be sent
electronically to
Comments.applications@ny.frb.org:
1. Grasshopper Bancorp, Inc., New
York, New York; through its subsidiary
bank, Grasshopper Bank, National
Association, also of New York, New
York, to acquire Auto Club Trust, FSB,
Dearborn, Michigan, and thereby engage
in operating a savings association
pursuant to section 225.28(b)(4)(ii) of
the Board’s Regulation Y.
Board of Governors of the Federal Reserve
System.
Michele Taylor Fennell,
Associate Secretary of the Board.
[FR Doc. 2024–23510 Filed 10–10–24; 8:45 am]
BILLING CODE P
FEDERAL TRADE COMMISSION
[File No. 192 3022]
Marriott International, Inc.; Analysis of
Proposed Consent Order To Aid Public
Comment
Federal Trade Commission.
Proposed consent agreement;
request for comment.
AGENCY:
ACTION:
E:\FR\FM\11OCN1.SGM
11OCN1
82610
Federal Register / Vol. 89, No. 198 / Friday, October 11, 2024 / Notices
The consent agreement in this
matter settles alleged violations of
Federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis of Proposed Consent Order to
Aid Public Comment describes both the
allegations in the complaint and the
terms of the consent order—embodied
in the consent agreement—that would
settle these allegations.
DATES: Comments must be received on
or before November 12, 2024.
ADDRESSES: Interested parties may file
comments online or on paper by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Please write ‘‘Marriott and
Starwood; File No. 192 3022’’ on your
comment and file your comment online
at https://www.regulations.gov by
following the instructions on the webbased form. If you prefer to file your
comment on paper, please mail your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW, Mail Stop H–144 (Annex L),
Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT:
Katherine McCarron, Attorney, Division
of Privacy and Identity Protection,
Bureau of Consumer Protection, Federal
Trade Commission, 600 Pennsylvania
Avenue NW, Washington, DC 20580,
kmccarron@ftc.gov, (202–326–2333).
SUPPLEMENTARY INFORMATION: Pursuant
to section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule § 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of 30 days. The following Analysis to
Aid Public Comment describes the
terms of the consent agreement and the
allegations in the complaint. An
electronic copy of the full text of the
consent agreement package can be
obtained at https://www.ftc.gov/newsevents/commission-actions.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before November 12, 2024. Write
‘‘Marriott and Starwood; File No. 192
3022’’ on your comment. Your
comment—including your name and
your State—will be placed on the public
record of this proceeding, including, to
the extent practicable, on the https://
www.regulations.gov website.
Because of heightened security
screening, postal mail addressed to the
Commission will be subject to delay. We
ddrumheller on DSK120RN23PROD with NOTICES1
SUMMARY:
VerDate Sep<11>2014
17:15 Oct 10, 2024
Jkt 265001
strongly encourage you to submit your
comments online through the https://
www.regulations.gov website. If you
prefer to file your comment on paper,
write ‘‘Marriott and Starwood; File No.
192 3022’’ on your comment and on the
envelope, and mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Mail
Stop H–144 (Annex L), Washington, DC
20580.
Because your comment will be placed
on the publicly accessible website at
https://www.regulations.gov, you are
solely responsible for making sure your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include sensitive personal information,
such as your or anyone else’s Social
Security number; date of birth; driver’s
license number or other State
identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure your
comment does not include sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule § 4.10(a)(2), 16 CFR
4.10(a)(2)—including competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule
§ 4.9(c). In particular, the written
request for confidential treatment that
accompanies the comment must include
the factual and legal basis for the
request and must identify the specific
portions of the comment to be withheld
from the public record. See FTC Rule
§ 4.9(c). Your comment will be kept
confidential only if the General Counsel
grants your request in accordance with
the law and the public interest. Once
your comment has been posted on the
https://www.regulations.gov website—as
legally required by FTC Rule § 4.9(b)—
we cannot redact or remove your
comment from that website, unless you
submit a confidentiality request that
meets the requirements for such
treatment under FTC Rule § 4.9(c), and
the General Counsel grants that request.
PO 00000
Frm 00046
Fmt 4703
Sfmt 4703
Visit the FTC website at https://
www.ftc.gov to read this document and
the news release describing the
proposed settlement. The FTC Act and
other laws the Commission administers
permit the collection of public
comments to consider and use in this
proceeding, as appropriate. The
Commission will consider all timely
and responsive public comments it
receives on or before November 12,
2024. For information on the
Commission’s privacy policy, including
routine uses permitted by the Privacy
Act, see https://www.ftc.gov/siteinformation/privacy-policy.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission (the
‘‘Commission’’) has accepted, subject to
final approval, an agreement containing
consent order from Marriott
International, Inc. (‘‘Marriott’’) and
Starwood Hotels & Resorts Worldwide,
LLC (‘‘Starwood’’ or collectively,
‘‘Respondents’’). The proposed consent
order (‘‘Proposed Order’’) has been
placed on the public record for 30 days
for receipt of comments from interested
persons. Comments received during this
period will become part of the public
record. After 30 days, the Commission
will again review the agreement, along
with any comments received, and will
decide whether it should withdraw from
the agreement and take appropriate
action or make final the Proposed Order.
Marriott is a multinational hospitality
company that manages and franchises
hotels and related lodging facilities,
including 30 brands and more than
7,000 properties throughout the United
States and across 131 countries and
territories. On or about November 16,
2015, Marriott announced that it would
acquire Starwood, and on or about
September 23, 2016, Starwood became a
wholly owned subsidiary of Marriott.
With the acquisition of Starwood,
Marriott became the largest hotel chain
in the world at that time, with more
than 1.1 million hotel rooms,
accounting for one out of every fifteen
hotel rooms worldwide.
After Marriott’s acquisition of
Starwood, Marriott took control of
Starwood’s computer network and has
been responsible for establishing,
reviewing, and implementing the
information security practices for both
Marriott and Starwood. Additionally,
Marriott commenced a two-year process
to integrate some Starwood systems into
the Marriott network. Marriott fully
integrated those Starwood systems into
its own network by December 2018.
According to the FTC’s Complaint,
Respondents suffered at least three
E:\FR\FM\11OCN1.SGM
11OCN1
ddrumheller on DSK120RN23PROD with NOTICES1
Federal Register / Vol. 89, No. 198 / Friday, October 11, 2024 / Notices
distinct data security breaches over the
course of several years. Starwood
informed customers of the first breach
just four days after the announcement of
Marriott’s acquisition of Starwood. This
breach allowed intruders to compromise
Starwood’s point-of-sale systems and
gain access to more than 40,000
customer payment cards over the course
of 14 months.
The second breach began on or
around July 28, 2014, and involved a
breach of a Starwood guest reservation
database. This breach went undetected
for four years—during which Marriott
had responsibility for Starwood’s
information security practices and
network following the acquisition.
Forensic examiners, retained by
Marriott in September 2018, identified
similar failures that resulted in the first
breach, including: inadequate firewall
controls, unencrypted payment card
information stored outside of the secure
cardholder data environment, lack of
multifactor authentication, and
inadequate monitoring and logging
practices. As a result of the second
breach, intruders compromised the
personal information of 339 million
Starwood guest records and 5.25 million
unencrypted passport numbers
worldwide. Additional compromised
information from the Starwood guest
reservation database included: names,
dates of birth, payment card numbers,
addresses, email addresses, telephone
numbers, usernames, Starwood loyalty
numbers, and partner loyalty program
numbers.
As to the third breach, Marriott
announced in March 2020 that
malicious actors had compromised the
credentials of employees at a Marriottfranchised property to gain access to
Marriott’s own network The intruders
began accessing and exporting
consumers’ personal information
without detection from September
2018—the same month that Marriott
became aware of the second breach—to
December 2018 and resumed in January
2020 and continued until they were
ultimately discovered in February 2020.
The intruders were able to access more
than 5.2 million guest records,
including 1.8 million records related to
U.S. consumers, that contained
significant amounts of personal
information, including: names, mailing
addresses, email addresses, phone
numbers, affiliated companies, gender,
month and day of birth, Marriott loyalty
account information, partner loyalty
program numbers, and hotel stay and
room preferences. Marriott’s internal
investigation confirmed that the
malicious actors’ main purpose for
searching, accessing, and exporting
VerDate Sep<11>2014
17:15 Oct 10, 2024
Jkt 265001
guest records was to identify loyalty
accounts with sufficient loyalty points
to be either used or redeemed, including
for booking stays at hotel properties.
The Commission’s proposed twocount complaint alleges that
Respondents violated section 5(a) of the
FTC Act by: (1) deceiving customers by
representing in each of their privacy
policies that they used reasonable and
appropriate safeguards to protect
consumers’ personal and financial
information; and (2) failing to employ
reasonable security measures to protect
consumers’ personal information. With
respect to these counts, the proposed
complaint alleges that Respondents:
• failed to implement appropriate
password controls, which resulted in
employees often using default, blank or
weak passwords;
• failed to patch outdated software
and systems in a timely manner;
• failed to adequately monitor and log
network environments, limiting the
ability to detect malicious actors and
distinguish between authorized and
unauthorized activity;
• failed to implement appropriate
access controls;
• failed to implement appropriate
firewall controls;
• failed to implement appropriate
network segmentation to prevent
attackers from moving freely across its
networks and databases; and
• failed to apply adequate multifactor
authentication to protect sensitive
information.
The proposed complaint alleges, with
respect to the second count above, that
Respondents’ failure to employ
reasonable security measures to protect
consumers’ personal information
caused, or is likely to cause, substantial
injury to consumers that is not
outweighed by countervailing benefits
to consumers or competition and is not
reasonably avoidable by consumers
themselves. Such practices constitute
unfair acts or practices under section 5
of the FTC Act.
The Proposed Order contains
injunctive relief designed to prevent
Respondents from engaging in the same
or similar acts or practices in the future.
Part I prohibits Respondents from
misrepresenting in any manner,
expressly or by implication: (1)
Respondents’ collection, maintenance,
use, deletion, or disclose consumers’
personal information; and (2) the extent
to which Respondents protect the
privacy, security, availability,
confidentiality, or integrity of
consumers’ personal information. Part II
requires that Respondents establish,
implement, and document a
comprehensive information security
PO 00000
Frm 00047
Fmt 4703
Sfmt 4703
82611
program. The program must include
specific safeguards tailored to
Respondents’ previous data security
shortcomings.
Parts III–VI require Respondents to
obtain initial and biennial information
security assessments by an independent,
third-party professional for 20 years
(part III), cooperate with the
independent assessor (part IV), provide
the Commission with a certification of
compliance with the Order from
Respondents’ CEO (part V), and submit
reports to the Commission if they suffer
additional data incidents (part VI).
Part VII requires Respondents to
provide a Clear and Conspicuous
method by which U.S. consumers can
request that Respondents review the
deletion of personal information
associated with an email address and/or
Loyalty Rewards Program account
number. Part VIII requires Respondents
to provide a link on their website and
mobile app where all U.S. consumers
may request deletion of Personal
Information associated with an email
address and/or Loyalty Rewards
Program account number.
Parts IX–XII are reporting and
compliance provisions, which include
recordkeeping requirements and
provisions requiring Respondents to
provide information or documents
necessary for the Commission to
monitor compliance. Part XIII states that
the Proposed Order will remain in effect
for 20 years, with certain exceptions.
The purpose of this analysis is to
facilitate public comment on the
Proposed Order, and it is not intended
to constitute an official interpretation of
the complaint or Proposed Order, or to
modify the Proposed Order’s terms in
any way.
By direction of the Commission,
Commissioners Holyoak and Ferguson
recused.
April J. Tabor,
Secretary.
[FR Doc. 2024–23283 Filed 10–10–24; 8:45 am]
BILLING CODE 6750–01–P
GENERAL SERVICES
ADMINISTRATION
[Notice—C0A–2024–01; Docket No. 2024–
0002; Sequence No 43]
Office of Human Resources
Management; SES Performance
Review Board
Office of Human Resources
Management (OHRM), General Services
Administration (GSA).
ACTION: Notice.
AGENCY:
E:\FR\FM\11OCN1.SGM
11OCN1
]]>Agencies
[Federal Register Volume 89, Number 198 (Friday, October 11, 2024)]
[Notices]
[Pages 82609-82611]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-23283]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 192 3022]
Marriott International, Inc.; Analysis of Proposed Consent Order
To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement; request for comment.
-----------------------------------------------------------------------
[[Page 82610]]
SUMMARY: The consent agreement in this matter settles alleged
violations of Federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis of Proposed Consent Order to Aid
Public Comment describes both the allegations in the complaint and the
terms of the consent order--embodied in the consent agreement--that
would settle these allegations.
DATES: Comments must be received on or before November 12, 2024.
ADDRESSES: Interested parties may file comments online or on paper by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Please write ``Marriott and
Starwood; File No. 192 3022'' on your comment and file your comment
online at https://www.regulations.gov by following the instructions on
the web-based form. If you prefer to file your comment on paper, please
mail your comment to the following address: Federal Trade Commission,
Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144
(Annex L), Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Katherine McCarron, Attorney, Division
of Privacy and Identity Protection, Bureau of Consumer Protection,
Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC
20580, [email protected], (202-326-2333).
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule Sec. 2.34, 16 CFR
2.34, notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of 30 days. The following
Analysis to Aid Public Comment describes the terms of the consent
agreement and the allegations in the complaint. An electronic copy of
the full text of the consent agreement package can be obtained at
https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before November 12,
2024. Write ``Marriott and Starwood; File No. 192 3022'' on your
comment. Your comment--including your name and your State--will be
placed on the public record of this proceeding, including, to the
extent practicable, on the https://www.regulations.gov website.
Because of heightened security screening, postal mail addressed to
the Commission will be subject to delay. We strongly encourage you to
submit your comments online through the https://www.regulations.gov
website. If you prefer to file your comment on paper, write ``Marriott
and Starwood; File No. 192 3022'' on your comment and on the envelope,
and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail
Stop H-144 (Annex L), Washington, DC 20580.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure your comment does not include any sensitive or confidential
information. In particular, your comment should not include sensitive
personal information, such as your or anyone else's Social Security
number; date of birth; driver's license number or other State
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure your comment does not include
sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule Sec.
4.10(a)(2), 16 CFR 4.10(a)(2)--including competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule Sec. 4.9(c). In
particular, the written request for confidential treatment that
accompanies the comment must include the factual and legal basis for
the request and must identify the specific portions of the comment to
be withheld from the public record. See FTC Rule Sec. 4.9(c). Your
comment will be kept confidential only if the General Counsel grants
your request in accordance with the law and the public interest. Once
your comment has been posted on the https://www.regulations.gov
website--as legally required by FTC Rule Sec. 4.9(b)--we cannot redact
or remove your comment from that website, unless you submit a
confidentiality request that meets the requirements for such treatment
under FTC Rule Sec. 4.9(c), and the General Counsel grants that
request.
Visit the FTC website at https://www.ftc.gov to read this document
and the news release describing the proposed settlement. The FTC Act
and other laws the Commission administers permit the collection of
public comments to consider and use in this proceeding, as appropriate.
The Commission will consider all timely and responsive public comments
it receives on or before November 12, 2024. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (the ``Commission'') has accepted,
subject to final approval, an agreement containing consent order from
Marriott International, Inc. (``Marriott'') and Starwood Hotels &
Resorts Worldwide, LLC (``Starwood'' or collectively, ``Respondents'').
The proposed consent order (``Proposed Order'') has been placed on the
public record for 30 days for receipt of comments from interested
persons. Comments received during this period will become part of the
public record. After 30 days, the Commission will again review the
agreement, along with any comments received, and will decide whether it
should withdraw from the agreement and take appropriate action or make
final the Proposed Order.
Marriott is a multinational hospitality company that manages and
franchises hotels and related lodging facilities, including 30 brands
and more than 7,000 properties throughout the United States and across
131 countries and territories. On or about November 16, 2015, Marriott
announced that it would acquire Starwood, and on or about September 23,
2016, Starwood became a wholly owned subsidiary of Marriott. With the
acquisition of Starwood, Marriott became the largest hotel chain in the
world at that time, with more than 1.1 million hotel rooms, accounting
for one out of every fifteen hotel rooms worldwide.
After Marriott's acquisition of Starwood, Marriott took control of
Starwood's computer network and has been responsible for establishing,
reviewing, and implementing the information security practices for both
Marriott and Starwood. Additionally, Marriott commenced a two-year
process to integrate some Starwood systems into the Marriott network.
Marriott fully integrated those Starwood systems into its own network
by December 2018.
According to the FTC's Complaint, Respondents suffered at least
three
[[Page 82611]]
distinct data security breaches over the course of several years.
Starwood informed customers of the first breach just four days after
the announcement of Marriott's acquisition of Starwood. This breach
allowed intruders to compromise Starwood's point-of-sale systems and
gain access to more than 40,000 customer payment cards over the course
of 14 months.
The second breach began on or around July 28, 2014, and involved a
breach of a Starwood guest reservation database. This breach went
undetected for four years--during which Marriott had responsibility for
Starwood's information security practices and network following the
acquisition. Forensic examiners, retained by Marriott in September
2018, identified similar failures that resulted in the first breach,
including: inadequate firewall controls, unencrypted payment card
information stored outside of the secure cardholder data environment,
lack of multifactor authentication, and inadequate monitoring and
logging practices. As a result of the second breach, intruders
compromised the personal information of 339 million Starwood guest
records and 5.25 million unencrypted passport numbers worldwide.
Additional compromised information from the Starwood guest reservation
database included: names, dates of birth, payment card numbers,
addresses, email addresses, telephone numbers, usernames, Starwood
loyalty numbers, and partner loyalty program numbers.
As to the third breach, Marriott announced in March 2020 that
malicious actors had compromised the credentials of employees at a
Marriott-franchised property to gain access to Marriott's own network
The intruders began accessing and exporting consumers' personal
information without detection from September 2018--the same month that
Marriott became aware of the second breach--to December 2018 and
resumed in January 2020 and continued until they were ultimately
discovered in February 2020. The intruders were able to access more
than 5.2 million guest records, including 1.8 million records related
to U.S. consumers, that contained significant amounts of personal
information, including: names, mailing addresses, email addresses,
phone numbers, affiliated companies, gender, month and day of birth,
Marriott loyalty account information, partner loyalty program numbers,
and hotel stay and room preferences. Marriott's internal investigation
confirmed that the malicious actors' main purpose for searching,
accessing, and exporting guest records was to identify loyalty accounts
with sufficient loyalty points to be either used or redeemed, including
for booking stays at hotel properties.
The Commission's proposed two-count complaint alleges that
Respondents violated section 5(a) of the FTC Act by: (1) deceiving
customers by representing in each of their privacy policies that they
used reasonable and appropriate safeguards to protect consumers'
personal and financial information; and (2) failing to employ
reasonable security measures to protect consumers' personal
information. With respect to these counts, the proposed complaint
alleges that Respondents:
failed to implement appropriate password controls, which
resulted in employees often using default, blank or weak passwords;
failed to patch outdated software and systems in a timely
manner;
failed to adequately monitor and log network environments,
limiting the ability to detect malicious actors and distinguish between
authorized and unauthorized activity;
failed to implement appropriate access controls;
failed to implement appropriate firewall controls;
failed to implement appropriate network segmentation to
prevent attackers from moving freely across its networks and databases;
and
failed to apply adequate multifactor authentication to
protect sensitive information.
The proposed complaint alleges, with respect to the second count
above, that Respondents' failure to employ reasonable security measures
to protect consumers' personal information caused, or is likely to
cause, substantial injury to consumers that is not outweighed by
countervailing benefits to consumers or competition and is not
reasonably avoidable by consumers themselves. Such practices constitute
unfair acts or practices under section 5 of the FTC Act.
The Proposed Order contains injunctive relief designed to prevent
Respondents from engaging in the same or similar acts or practices in
the future. Part I prohibits Respondents from misrepresenting in any
manner, expressly or by implication: (1) Respondents' collection,
maintenance, use, deletion, or disclose consumers' personal
information; and (2) the extent to which Respondents protect the
privacy, security, availability, confidentiality, or integrity of
consumers' personal information. Part II requires that Respondents
establish, implement, and document a comprehensive information security
program. The program must include specific safeguards tailored to
Respondents' previous data security shortcomings.
Parts III-VI require Respondents to obtain initial and biennial
information security assessments by an independent, third-party
professional for 20 years (part III), cooperate with the independent
assessor (part IV), provide the Commission with a certification of
compliance with the Order from Respondents' CEO (part V), and submit
reports to the Commission if they suffer additional data incidents
(part VI).
Part VII requires Respondents to provide a Clear and Conspicuous
method by which U.S. consumers can request that Respondents review the
deletion of personal information associated with an email address and/
or Loyalty Rewards Program account number. Part VIII requires
Respondents to provide a link on their website and mobile app where all
U.S. consumers may request deletion of Personal Information associated
with an email address and/or Loyalty Rewards Program account number.
Parts IX-XII are reporting and compliance provisions, which include
recordkeeping requirements and provisions requiring Respondents to
provide information or documents necessary for the Commission to
monitor compliance. Part XIII states that the Proposed Order will
remain in effect for 20 years, with certain exceptions.
The purpose of this analysis is to facilitate public comment on the
Proposed Order, and it is not intended to constitute an official
interpretation of the complaint or Proposed Order, or to modify the
Proposed Order's terms in any way.
By direction of the Commission, Commissioners Holyoak and
Ferguson recused.
April J. Tabor,
Secretary.
[FR Doc. 2024-23283 Filed 10-10-24; 8:45 am]
BILLING CODE 6750-01-P
