Attorney General Ken Paxton has reached a settlement with Marriott International, Inc. following an investigation into a breach of the company's reservation database. The breach exposed 131 million guest records in the United States, including contact information, gender, dates of birth, legacy Starwood Preferred Guest details, reservation information, hotel stay preferences, and some unencrypted passport numbers and unexpired payment card information.
The Agreed Final Judgment includes terms to improve Marriott's data security practices. Marriott's updated security program will now incorporate zero-trust principles, regular security reporting to senior company officials including the Chief Executive Officer, and enhanced employee training on data handling and security.
"Texas law is clear that companies in possession of Texans’ personal information have a duty to safeguard that data," said Attorney General Ken Paxton. "Given the frequency of cyberattacks today, it is simply unreasonable for companies to lack a comprehensive risk-based data security program. Through this settlement, customers will be much better protected. I will continue to fight for our citizens’ privacy and data security."
As part of the settlement, Marriott will pay $52 million to 50 states involved in this case, including $3.5 million allocated to Texas.