The recent FTC settlement with Marriott over multiple data breaches has sent ripples through the cybersecurity world.
If you missed it, Marriott and Starwood suffered what can only be described as catastrophic security failures. We’re talking fundamental lapses in basic security hygiene. The result was three large data breaches from 2014 to 2020 impacting more than 344 million customers worldwide.
The settlement itself mandates some essential security functions, like multi-factor authentication and encryption. Basic stuff and some would say it sets a very low bar.
My issue is that the agreement focuses heavily on the auditability of Marriott’s security program, not necessarily its effectiveness. It’s a box-ticking exercise, prioritizing compliance over genuine security outcomes. In essence, it’s all a show. The real teeth in this settlement lie in the threat of perjury against officers who lie about implementing these minimal security measures.
So, what’s the takeaway for CISOs?
- Expect Increased Scrutiny
This settlement sets a precedent. Expect regulators to demand more detailed and demonstrable security practices. - Don’t Confuse Compliance with Security
Meeting the bare minimum is not enough to protect you from a breach.
The Marriott settlement highlights a worrying trend. While regulatory action is necessary, it can sometimes lead to a “check-the-box” mentality.
But what about the victims?
Marriott customer data is out there by the bucketload, and no amount of regulation can put that genie back in the bottle. We need to adapt and prioritize proactive security measures that protect our organizations in this new reality.
What are your thoughts on the Marriott settlement?