The shortest breach lasted 14 months before it was detected, while the longest one saw attackers maintain access for four years, starting in 2018. The beefed-up security programs they've agreed to establish include creating policies to only keep information for as long as it’s needed and publishing a link allowing US customers to request the deletion of information tied to their email address or loyalty account.
Beyond improving their security, the companies are now forbidden “from misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information.” Other requirements include that they keep compliance records and submit to FTC inspections. The order will stay in effect for 20 years.