This hardly seems like enough to encourage a change in behavior. Marriott settles with FTC, to pay $52 million over data breaches. Though the FTC is also trying to change behavior in other ways.
Marriott International and its subsidiary Starwood Hotels will pay $52 million and create a comprehensive information security program as part of settlements for data breaches that impacted over 344 million customers.
The settlement requires Marriott and Starwood to implement a comprehensive security program and allow their U.S. customers to request personal data deletions.
Additionally, the American hospitality giant has agreed to pay $52,000,000 to 49 states to resolve claims related to the data breaches.
$52 million divided by 344 million customers is about 15 cents per person.
And this wasn't really a single breach, there were 3 separate breaches covering a couple of divisions of the company. Some of the intrusions went undetected for YEARS.
The FTC accuses the two companies [Marriott and its subsidiary] of misleading consumers about their data security practices and outlined failures such as poor password controls, outdated software, and lack of appropriate monitoring of its IT environment.
The FTC also spells out some business practices that Marriott will need to adopt, around security the data of customers, including allowing customers to request deletion of their data. Click thru for the list.
For a company with gross profit in the trailing twelve months of $5 billion, $52 million as a fine for potentially screwing up the lives and credit of 344 million customers seems like less than a slap on the wrist.
As for the business procedures the FTC is mandating, these are not outlandish. The first item on the list is, "Establish a comprehensive information security program with third-party assessments every two years and annual compliance certification for 20 years." That is not out of the ordinary, and will cost money. But they should have been doing that in any event. (They clearly were not.)
I would like to think that in 2024 basic security practices would be covered under the board of directors "Duty of Care," and perhaps a breach of their fiduciary responsibilities, but I know that no one, aside from the grunts in the trenches, will be held accountable. The directors have an out, of course; they used "reasonable care." Which is to say that they don't know anything about security, have no intention to learn about security, and so it never occurred to them to even ask about security. And if they did ask, they probably would have gotten a "don't worry about it" answer. Until some executives, and maybe a handful of directors are held accountable this kind of thing will continue to happen.
Someday companies will take data security seriously. That day is probably not today, or any day soon.
No comments:
Post a Comment
Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.
Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.