Information Protection Agreement

This Information Protection Agreement (“Agreement”) applies to all associates/employees of the Marriott Group, which includes
Marriott International, Inc. and its subsidiaries/affiliates (collectively, the “Company”) and all Company Hotel Brands.
You are responsible for complying with this Agreement. Please read the Agreement in full, complete the acknowledgement
box at the bottom, and return the original signed Agreement to your Human Resources representative.
Note: this Agreement does not prohibit associates/employees from discussing the terms and conditions of their employment
in accordance with applicable law, including the U.S. National Labor Relations Act. Nor does it prohibit any other legally‐
protected communications or activities.
What Information is Covered by This Agreement? in some jurisdictions. In such instances, the broader
Two types of information are covered by this Agreement: definition of Personal Data will apply.
• Confidential or Proprietary Information about or Sensitive Personal Data
belonging to the Company; and • A type of Personal Data that includes: (i) social security
• Personal Data about our guests, associates, owners, number, taxpayer identification number, passport
franchisees, or other identifiable persons number, driver’s license number, or other government‐
Both types of information will be referred to as “Confidential issued identification number; (ii) credit or debit card
Information” for purposes of this Agreement. details or financial account number, with or without any
code or password that would permit access to the
Importance of Protecting Confidential Information account, or credit history; or (iii) information on race,
All associates are responsible for protecting Confidential religion, ethnicity, sex life or practices, or sexual
Information from loss, destruction, theft, or misuse at all orientation, medical or health information, genetic or
times. Associates shall not attempt to access Confidential biometric information, biometric templates, political or
Information unless authorized by the Company to access philosophical beliefs, political party or trade union
such information. Confidential Information must be used membership, background check information, judicial data
only as intended for legitimate business purposes. such as criminal records, or information on other judicial
Associates must limit disclosure of Confidential or administrative proceedings.
Information to those who have a business need to know
How to Protect Confidential Information
and who are otherwise authorized by the Company to
receive this information. Much of the information you work with contains or involves
Confidential Information. Protecting this information
Definitions and Examples of Confidential Information requires you to take care in engaging in conversations,
Company Confidential or Proprietary Information working with paper documents, or sending or receiving
• Information that is: (1) created, obtained, or used by the electronic communications such as email, voicemail, screen
Company that derives independent value from not being shares, and instant or text messages.
generally known to the public; (2) might harm the You must also take care when accessing or working with
Company or its guests, associates, owners, franchisees, Company systems or reports generated from these systems,
or other persons if disclosed; or (3) might be of value to including MARSHA, property management systems, payroll
the Company’s competitors and is undisclosed or or other HR systems, and computer software or applications.
commercially‐sensitive. Confidential Information must be protected regardless of
• Examples: information about the Company’s customers, where it resides, including in physical documents, laptops,
sales and marketing plans, pricing strategy, personnel desktop computers, mobile and other wireless devices, and
matters, financial data, means of doing business external storage devices such as CDs and flash drives.
(including all technical system information), management
agreements, franchise agreements, licensing agreements, Key Privacy and Information Security Resources
loyalty program plans and strategies, standard operating You are required to review applicable Marriott policies and
procedures, policies, product or service developments, standards on Marriott Global Source (MGS), including:
internal memoranda, associate usernames and
• Global Information Security Policy (MIP‐29)
passwords, and trade secrets.
• Global Privacy Policy (MIP‐91)
Personal Data • Enterprise Records Management (MIP‐15)
• Information that relates to an identified natural person • Information Disclosure to Owners & Franchisees (MIP‐72)
or to an identifiable person. • Asset Security Categorization & Data Classification (IT-GIS-
• An identifiable person is a natural person who can be 001)
identified, directly or indirectly, by reference to an • Information Security Standard (IT‐SEC‐002)
identifier such as a name, a unique identification number, • Personal Data Security Standard (IT-SEC-032)
an email or IP address, location data, or other
How to Report an Incident
information associated with the individual, such as guest
account information, associate personnel information, or If you believe any Confidential Information has been lost,
other data specifically recognized as Personal Data by stolen, or subject to any unauthorized access, disclosure, or
applicable laws, regulations, or legal authorities. misuse, please contact your Manager, Human Resources
• Personal Data is also often referred to as “Personally representative, or CIRT@Marriott.com immediately.
Identifiable Information (PII)” or “Personal Information”

1
December 2021
You can also contact the Business Integrity Line to report the
incident anonymously by visiting ethics.marriott.com and
Clearly Labeling Confidential Information
selecting one of the local language and contact options.
• Label all pages of Confidential Information as required by
I WILL PROTECT CONFIDENTIAL INFORMATION BY: relevant policies and standards, such as “MARRIOTT
Asking Questions and Reporting Problems CONFIDENTIAL AND PROPRIETARY INFORMATION”.
• Ask my Manager or the IT Help Desk if I am unsure how Protecting Passwords
to handle a request for Confidential Information. • Use passwords that are long, contain combinations of
• Report any instances of non‐compliance to my Manager. numbers, symbols, and upper‐ and lower‐case letters, are
Respecting Privacy and Confidentiality difficult to guess, and do not contain real words, phrases,
or personal information.
• Respect the privacy of, and keep confidential, Personal
• Do not repeat passwords or use similar passwords for my
Data of all guests, associates, hotel or residence owners,
Company accounts and personal accounts.
club members, authorized licensees, franchisees, and any
other parties who provided such data to the Company. • Keep passwords secret and never share them.
• Apply an extra level of protection and higher duty of care • Change passwords immediately if I believe someone may
to any Sensitive Personal Data. have gained access to my account, and report the issue
immediately to CIRT@Marriott.com.
• Use Confidential Information only to perform my job.
• Be aware of my surroundings and use good judgment Using Computer Resources Wisely
such as by not discussing or displaying Confidential • Use Company voicemail, email, Internet, and other
Information in any public places. technology wisely and primarily for business purposes.
• Treat others’ Confidential Information with the same • Understand the privacy risks of electronic
level of care I would use for my Confidential Information. communications such as email or instant messages.
• Never share Confidential Information with news media, These are not secure methods for transmitting
government officials, shareholders, other interested Confidential Information. If necessary to share such
persons, or the public without proper authorization from information, consider using other secure platforms.
Communications & Public Affairs, the Law Department, • Do not do business on unsecured wireless networks.
or as required by law. • Do not download suspicious applications from unknown
Securing Confidential Information vendors or click on links within suspicious emails.
• Only share Confidential Information with other associates • Do not reply to unsolicited emails, texts, or pop‐up
or other individuals specifically authorized by the messages that ask for any Confidential Information.
Company if needed to perform their jobs. Protecting Computers and Systems
• Use passwords, encryption, or other protections when • Never disable anti‐virus software or security patches that
sending or receiving Confidential Information such as the Company has installed or updated. If I am
Personal Data or Sensitive Personal Data. responsible for maintaining any computer equipment at
• Use extreme caution when sending any Confidential my business location, I will ensure that all equipment is
Information by email, fax, or other electronic means by protected with current anti‐virus software and patches.
always double‐checking recipients and calling ahead to • Do not disable or attempt to circumvent any encryption.
ensure that recipients are expecting the information.
• Always protect computers and portable devices, such as
• Allow access to Confidential Information by third parties by locking my screen when away, never leaving a
(e.g., owners, contractors) only under confidentiality computer unattended while traveling, and never
agreements approved by the Law Department. checking a laptop with luggage or leaving it my car.
• Keep Confidential Information in physical form (e.g.,
paper documents, flash drives, or mobile devices) in a Complying with Privacy and Software Licensing Laws
secure place such as a locked office or drawer. • Comply with any instructions I receive relating to privacy
Properly Disposing of Confidential Information or information protection laws.
• Comply with software laws by ensuring proper licensing
• Comply with the Company’s record and data retention and not copying software unless allowed by the vendor.
requirements, including by properly disposing of
Confidential Information in a secure manner.

I have read, understand, and agree to follow this Information Protection Agreement. I understand that my failure to follow this
Agreement may result in serious consequences, up to and including termination of employment. I also understand that my
obligation to protect and maintain the confidentiality of Confidential Information applies both during my employment and after
my separation from employment with the Company.
Associate/Employee signature
Date Print Name
Business Location/Department

2
December 2021