Updates
EPIC Commends Vendor Oversight, Third-Party Auditing, and Data Retention Limits in FTC’s Marriott Data Breach Settlement
November 13, 2024
On November 12, EPIC submitted a letter comment to the Federal Trade Commission in support of its proposed consent decree with Marriott International Inc. regarding a series of data breaches that occurred at Marriott and Starwood resorts over multiple years. EPIC encouraged the FTC to approve the proposed consent order and expressed support for the Commission’s continuing use of its Section 5 authority to protect consumers from deficient cybersecurity practices.
EPIC also praised the inclusion of provisions related to vendor oversight, independent auditing, and data retention. Vendors are increasingly favored targets for breaching larger company’s customer data, so attention to vendors’ cybersecurity practices is an important preventative measure. Independent auditing is important because allowing companies to “grade their own homework” often results in uncorrected deficiencies. Data retention limits reduce harms to consumers if a breach does occur, without compromising a company’s ability to continue to perform necessary business functions, as it only requires the deletion of data that is no longer necessary.
EPIC regularly files comments in response to proposed FTC consent orders and complaints regarding business practices that violate privacy rights. EPIC has also participated in amicus briefs addressing the consumer harms that result from deficient cybersecurity practices.
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate