Marriott and Starwood Hotels & Resorts must implement a “comprehensive information security program” to settle charges filed in the US after three large data breaches.
The hospitality group has to appoint someone to lead the program, provide regular governance reports, and track and document the program at regular intervals as it is implemented.
The order [pdf] also requires employees to receive regular training on “safeguarding” personal information held on any of the group’s IT assets.
For IT and security teams, there are a number of specific requirements around documented incident response plans, having appropriate logging and monitoring systems in place, enforcing multi-factor authentication for remote access to the IT environment, practicing good security hygiene, and implementing additional protections around how personal information of customers is stored.
The order also calls for careful vendor selection and management, to ensure that third parties meet the standards set for internal.
The charges were brought against Marriott and Starwood by the US Federal Trade Commission (FTC) after data breaches that impacted some 344 million customers worldwide.
FTC alleged that the hotel and resorts operator had misrepresented its level of data security and personal information handling practices.
“Security failures resulted in at least three separate data breaches that enabled malicious actors to obtain vast amounts of personal information from hundreds of millions of consumers, including passport information, payment card numbers, and loyalty numbers,” the FTC alleged.
