Attorney General Phil Weiser announced a settlement involving Marriott International, Inc. and a coalition of 50 attorneys general over a significant data breach. The breach involved the Starwood guest reservation system and spanned from July 2014 to September 2018. During this period, intruders accessed 131.5 million guest records, including sensitive information such as contact details, dates of birth, and unencrypted passport numbers.
The settlement requires Marriott to pay $52 million to the states involved, with Colorado receiving $822,434. "The law makes it clear to companies that they have to implement reasonable cybersecurity safeguards," stated Weiser. "By failing to comply with the law, Marriott harmed those whose data was stolen."
Marriott has agreed to enhance its cybersecurity measures by improving employee training, adopting better data security policies, and minimizing consumer data collection and retention. The company will also conduct regular third-party security assessments for the next two decades.
Additionally, Marriott will offer consumers a data deletion option and multi-factor authentication for loyalty rewards accounts like Marriott Bonvoy. The settlement funds may be used for restitution, consumer education or protection enforcement, or efforts benefiting public welfare.