Data Minimization in Privacy and Cybersecurity
The Federal Trade Commission (FTC) recently announced that it will require Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide to “implement a robust information security program to settle charges that the companies’ failure to implement reasonable data security led to three large data breaches from 2014 to 2020 impacting more than 344 million customers worldwide.” Marriott separately “agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security allegations,” under a parallel investigation.
These negotiated resolutions are the result of years-long investigations by the FTC and state authorities, who were responding to allegations that Marriott deceived customers and failed to maintain adequate data and privacy controls:
Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information. Specifically, the proposed complaint alleges that Marriott and Starwood failed to: implement appropriate password controls, access controls, firewall controls, or network segmentation; patch outdated software and systems; adequately log and monitor network environments; and deploy adequate multifactor authentication.
Key Takeaways from FTC Draft Settlement
The announcement and penalties serve as a helpful reminder of the risks associated with failing to maintain an adequate privacy program, which protects a business’s consumers and partners.
Just as important, the terms of FTC’s draft settlement agreement with Marriott provide insight into the growing regulatory focus on data minimization in privacy and cybersecurity matters.
Cobun Zweifel-Keegan, from IAPP, provides helpful insights into the settlement agreement here. In short, the draft settlement agreement highlights the following important regulatory focuses:
- Data Minimization throughout the lifecyle
- Legitimate Business need for both the collection and retention of personal data
- Requirement to limit collection, use, sharing and retention of personal data to the minimum extent necessary appears
- Right to deletion
Even though many of these requirements are not yet federally required, they are required in some states and in many international jurisdictions. Likewise, it is clear that state and federal regulators are continuing to push in the direction of data minimization.
Consult with a Privacy Professional
If you have questions about your corporate privacy program, your jurisdictional requirements, or best practices, contact our office to discuss data minimization and your data and privacy law legal needs.