APA Comments
Comments of EPIC in re the Federal Trade Commission’s Proposed Order & Settlement with Marriott and Starwood
FTC File No. 192-3022 (Nov. 2024)
November 12, 2024
Chair Lina M. Khan
Commissioner Rebecca Kelly Slaughter
Commissioner Alvaro Bedoya
Commissioner Andrew Ferguson
Commissioner Melissa Holyoak
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
RE: Marriott International Inc., et al, FTC File No. 1923022
Dear Chair Khan and Commissioners Slaughter, Bedoya, and Ferguson,
By notice published October 9, 2024, the Federal Trade Commission (FTC or Commission) announced a proposed consent order with Marriott International Inc, and Starwood Hotels & Resorts, LLC (collectively Marriott), for Marriott’s alleged violations of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), prohibiting unfair or deceptive acts or practices.[1] The proposed consent order is the result of the FTC’s two count complaint alleging Marriott made deceptive statements concerning their information security practices and failed to reasonably protect consumers’ personal and financial information.[2] Additionally, this consent decree was announced in concert with the settlement of a coordinated investigation with 49 state attorneys general and the District of Columbia, which resulted in $52 million to be distributed among all 50 participants.[3]
The Electronic Privacy Information Center (EPIC) submits this letter to applaud the FTC’s efforts in this matter and to provide recommendations to strengthen the proposed order (and others like it in future cases concerning breaches of data privacy). EPIC is a public interest research center in Washington, D.C. established in 1994 to focus public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC routinely files comments in response to proposed FTC consent orders and complaints regarding business practices that violate privacy rights.[4]
EPIC strongly commends the Commission for its use of Section 5 authority to protect consumers from Marriott’s dangerous cybersecurity practices and hopes the Commission will continue to protect consumers as it has done on this topic.[5] EPIC also commends the Commission’s coordination with state attorneys general, as they can be valuable partners in safeguarding consumer privacy and incentivizing companies to take their data security obligations seriously. Cybersecurity breaches have an outsized impact on consumers; consumers whose data have been lost to a breach are more susceptible to identity theft and financial fraud, and suffer psychological harms such as anxiety, depression, and PTSD.[6] The breaches of Marriott and Starwood systems between 2014 and 2020 led to the extrication of uniquely sensitive information such as “consumer names. . . passport numbers, travel itineraries, number of children travelled with, and hotel stay preferences.”[7] The compromise of this data creates a high burden for consumers to protect themselves from future harms, such as identify theft. Consumers can spend up to 18 months to resolve even just the immediate consequences of identity theft.[8] The impacts breaches can get more severe over time, with successive breaches.[9]
Sources of guidance for Marriott, and corporations like it, on how to reasonably safeguard consumer data from these types of breaches are abundant and consistent. The Commission has been exceedingly consistent when it comes to addressing cybersecurity issues over the last two decades. The FTC has developed a reliable corpus for reference on these matters through its case-by-case enforcement actions. In the FTC’s Advanced Notice of Public Rulemaking (ANPR) on Commercial Surveillance & Data Security, EPIC noted the volume of cases this Commission hears related to cybersecurity and creates sufficient precedent for the Commission to establish poor data security as a deceptive trade practice[10] and also as an unfair trade practice.[11] The corrected deficiencies outlined in these enforcement actions are very similar to requirements established across multiple cybersecurity regulations.[12] Companies have enough information to build cost-effective cybersecurity programs that protect consumers.[13]
Several of the issues found to plague Marriott’s cybersecurity practices in particular bear striking similarity to some of issues this Commission found in its investigation of another hospitality company, Wyndham Worldwide Corp. (Wyndham). The Commission found that Wyndham, “failed to. . . [employ] firewalls. . . failed to remedy known security vulnerabilities on Wyndham-branded hotels’ servers. . . failed to adequately restrict third-party vendor’s access to [Wyndham’s] network”[14]; here the Commission has alleged that Marriott has, “failed to implement appropriate password controls. . . failed to patch outdated software. . . leaving Starwood’s network susceptible to attacks. . . failed to implement appropriate access controls . . . failed to implement firewall controls.”[15] In Wyndham, the court likened this cybersecurity negligence to an egregious failure to clean up banana peels to such an extent that hundreds of thousands of consumers slipped on them.[16] As already noted, the Commission has reached numerous settlements with other companies that can also serve as further guidance on what reasonable cybersecurity entails, in addition to frameworks developed by NIST and others on this topic.[17]
Although EPIC supports this proposed settlement broadly, EPIC is particularly supportive of the proposed mandates relating to vendor oversight and the requirement to work with a third-party auditor.[18] Vendors are prevalent vectors for breaches, so prospectively ensuring Marriott does not entrust consumer data to deficient service providers is a timely preventative measure.[19] Independent auditing is important for accountability because it can be a conflict of interest for companies to evaluate their own cybersecurity compliance (“grade their own homework”) after having already been found deficient.[20] EPIC has consistently supported these provisions that lead to stronger cybersecurity programs and better outcomes for consumers and companies alike.[21]
EPIC urges the Commission to finalize the proposed Marriott consent order. Additionally, EPIC encourages the Commission to continue to build on its use of unfairness authority in the data security context, as well as its centering of data minimization in enforcement actions and regulations.
[1] See Marriott Complaint, In re Marriott Int’l Inc. and Starwood Hotels & Resorts Worldwide, LLC, File No. 1923022 at ¶36 https://www.ftc.gov/system/files/ftc_gov/pdf/1923022marriottcomplaint.pdf (“Marriott Complaint”).
[2] Marriott Complaint at ¶¶33-35.
[3] Elizabeth Benton, Attorney General Tong Co-Leads %52 Million Multistate Settlement with Marriott for Data breach of Starwood Guest Reservation Database, Press Release, The Office of the Attorney General, Connecticut (Oct. 9, 2024), https://portal.ct.gov/ag/press-releases/2024-press-releases/multistate-settlement-with-marriott-for-data-breach-of-starwood-guest-reservation-database.
[4] See, e.g., Comments of EPIC, Demand Progress, and EFF in re the Federal Trade Commission’s Proposed Order & Settlement with X-Mode Social, Inc. (Feb. 20, 2024), https://epic.org/documents/comments-of-epic-demand-progress-and-eff-in-re-the-federal-trade-commissions-proposed-order-settlement-with-x-mode-social-inc/; EPIC, EPIC Commends FTC for Including Data Minimization & Data Rights in Chegg Settlement (Dec. 12, 2022), https://epic.org/epic-commends-ftc-for-including-data-minimization-data-rights-in-chegg-settlement/; EPIC, EPIC Applauds FTC SpyFone Ban, Urges Similar Remedies in Future Privacy Cases (Oct. 8, 2021), https://epic.org/epic-applauds-ftc-spyfone-ban-urges-similar-remedies-in-future-privacy-cases/.
[5] See, e.g., Comments of EPIC in re the Federal Trade Commission’s Proposed Order with Chegg, Inc., FTC File No. 202-3151 (Dec. 12, 2022), https://epic.org/documents/comments-of-epic-in-re-the-federal-trade-commissions-proposed-order-settlement-with-chegg-inc/ (hereinafter “EPIC re Chegg”); Comments of EPIC in re the Federal Trade Commission’s Proposed Order with Blackbaud, Inc., FTC File No. 202-3181 (Mar. 2024), https://epic.org/documents/comments-of-epic-in-re-the-federal-trade-commissions-proposed-order-settlement-with-blackbaud/ (hereinafter “EPIC re Blackbaud”); Comments of EPIC in re the Federal Trade Commission’s Proposed Order with BetterHelp, Inc., FTC File No. 202-3169 (Apr. 12, 2022), https://epic.org/documents/comments-of-epic-in-re-the-federal-trade-commissions-proposed-order-settlement-with-betterhelp-inc/ (hereinafter “EPIC re BetterHelp”); Comments of EPIC in re the Federal Trade Commissions Proposed Order with Global Tel*Link, FTC File No. 212-3012 (Dec. 2023), https://epic.org/documents/comments-of-epic-in-re-the-federal-trade-commissions-proposed-order-settlement-with-global-tellink/ (hereinafter “EPIC re GTL”).
[6] See, e.g., Danielle Citron and Daniel Solove, “Risk and Anxiety: A Theory of Data
Breach Harms”, Texas L. Rev. (2018), https://scholarship.law.bu.edu/faculty_scholarship/616/; Erika Harrell and Alexandra Thompson, Victims of Identity Theft, 2021, DOJ, Doc. No. NCJ 306474 at 12 (Oct. 2023) https://bjs.ojp.gov/document/vit21.pdf; Ido Kilovaty, “Psychological Data Breach Harms,” U.N.C. J. of L. & Tech. (2021), https://scholarship.law.unc.edu/cgi/viewcontent.cgi?article=1432&context=ncjolt; Jessica Guynn, Anxiety, Depression and PTSD: The Hidden Epidemic of Data Breaches and Cyber Crimes, USA TODAY (Feb. 24, 2020), https://www.usatoday.com/story/tech/conferences/2020/02/21/data-breach-tips- mental-health-toll-depression-anxiety/4763823002/; Eleanor Dallaway, #ISC2Congress: Cybercrime Victims Left Depressed and Traumatized, INFO. SEC. (Sep. 12, 2016), https://www.infosecurity-magazine.com/news/isc2congress-cybercrime-victims/.
[7] Marriott Complaint at ¶¶ 8,16, 20.
[8] IDShield, How Long Does it Take to Fix Identity Theft? (Feb. 21, 2022), https://www.idshield.com/blog/identity-theft/how-many-hours-fix-identity-theft/ (citing to Bureau of Justice Statistics, FTC, Experian, and others).
[9] See, e.g., Brief for Electronic Frontier Foundation and EPIC as Amici Curiae, Supporting Plaintiffs-Appellee, Peter Maldini v. Marriott International Inc., No. 22-1744(L), at 6-9 (Nov. 11, 2022), https://epic.org/documents/peter-maldini-v-marriott-international-inc/.
[10] Comments of EPIC, FTC Proposed Trade Regulation Rule on Commercial Surveillance and Data Security at 194 (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf [hereinafter “Disrupting Data Abuse”].
[11] Id. at 191.
[12] Id. at 194-197; See also Comments of EPIC, In re Opportunities for and Obstacles to Harmonizing Cybersecurity Regulations (RFI), ONCD-2023-0001 at Appendix 1 (Oct. 2023),https://epic.org/documents/in-re-opportunities-for-and-obstacles-to-harmonizing-cybersecurity-regulations-rfi/[hereinafter “EPIC ONCD Comment”].
[13] See, e.g., FINRA, Report on Cybersecurity Practices (Feb 2015), https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf; NIST, Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (Apr. 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf; CISA, Cross-Sector Cybersecurity Performance Goals (2022), https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf.
[14] FTC v. Wyndham Worldwide Corporation, WL 12372027 at ¶24 (D.N.J. 2012), https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120809wyndhamcmpt.pdf (hereinafter “Wyndham Complaint”).
[15] Press Release, FTC Takes Action Against Marriott and Starwood Over Multiple Data Breaches, FTC (Oct. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/10/ftc-takes-action-against-marriott-starwood-over-multiple-data-breaches.
[16] FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 247 (3d Cir. 2015) (“were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).”).
[17] See EPIC ONCD Comment at Appendix 1; see also e.g. Federal Trade Comm’n, About Page: Privacy and Security Enforcement, FTC (Accessed on Nov. 7, 2024), https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement; NIST, The NIST Cybersecurity Framework 2.0 (Feb. 26, 2022), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf.
[18] Marriott Settlement at 6 and 8.
[19] Disrupting Data Abuse at 204-05.
[20] Id. at 208 (citing to Data Security at Risk: Testimony from a Twitter Whistleblower: Hearing Before the S. Comm. on the Judiciary, 117th Cong. (2022), https://www.judiciary.senate.gov/meetings/data-security-at-risk-testimony-from-a-twitter-whistleblower).
[21] See generally EPIC re Chegg; EPIC re Blackbaud; EPIC re GTL; EPIC re BetterHelp.
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate