The Federal Trade Commission (FTC) has finalized an order requiring Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide to implement a comprehensive information security program.
The final order settles the FTC’s charges announced in October that the companies deceived customers by claiming to have reasonable data security, when in fact they did not.
The companies suffered three data breaches that affected more than 344 million of their customers worldwide, according to the FTC.
Under the order, Marriott and Starwood are required to establish a comprehensive information security program, retain personal information only as long as necessary, and restore stolen loyalty points upon request.