PIPEDA Findings #2022-005: Hotel chain discovers breach of customer database following acquisition of a competitor
Following a data breach involving the Starwood hotel database, the Office of the Privacy Commissioner of Canada (OPC) investigated Marriott International, Inc. The investigation found that Marriott's security safeguards, accountability measures, and information retention practices were inadequate at the time of the breach, leading to unauthorized access to personal information. While Marriott has taken remedial actions and the complaint is conditionally resolved, the OPC highlighted failures in access controls, antivirus software, logging and monitoring, and information storage. The OPC also found Marriott contravened accountability principles by not adequately assessing security risks during its acquisition of Starwood and retaining personal information longer than necessary.
- Adequacy of security safeguards for personal information
- Marriott's accountability and due diligence during the acquisition of Starwood
- Timeliness of information retention and deletion practices
- Adequacy of notification and mitigation measures for affected individuals
Complaint well-founded and conditionally resolved
The investigation found that Marriott's security safeguards were inadequate, particularly concerning access controls, antivirus software, logging and monitoring, and information storage. Failures in ongoing assessment of security safeguards and improper information retention periods also constituted contraventions of PIPEDA.
AI-generated summary for reference only. Always verify against the official decision ↗
Marriott agreed to engage an external assessor to evaluate its security enhancements, review its organizational and governance measures, and submit reports on these assessments to the OPC.
- Principle 4.7 PIPEDA
- Principle 4.1.4 PIPEDA
- Principle 4.5 PIPEDA
This summary is informational only and not legal advice.