In this episode, I dive into the FTC's enforcement action against Marriott, issued on October 9, 2024. (Link to case)
Below are my key takeaways from this enforcement action:
- Due Diligence for Mergers: Ensure thorough due diligence on data security when acquiring a new company.
- Implement Reasonable Data Security Policies: Companies should adopt security measures addressing common vulnerabilities across their assets.
- Start with a security framework or hire a third-party assessor if budget allows to evaluate internal systems for vulnerabilities.
- Flag systems storing sensitive information to enforce and maintain robust security protocols.
- Accurate Privacy Policy Representation: Make sure your privacy policy aligns with actual security practices.
- Avoid using absolute terms like “industry standard” or “the best.”
- Instead, provide a realistic overview of security practices without overpromising.
