Marriott also will be required to review loyalty rewards accounts upon customer request and restore stolen loyalty points.
The FTC does not have legal authority to impose civil penalties in the case.
“Protecting guests' personal data remains a top priority for Marriott,” the company said.
And they didn’t patch outdated software and systems, or put in place adequate multifactor authentication.
The agreement will be published in the Federal Register and subject to public comment for 30 days.
After that period, the commission will decide whether to make the proposed consent order final.