Attorney General Charity Clark announced a settlement with Marriott International, Inc. regarding a data breach involving the Starwood guest reservation database. The settlement, part of a larger $52 million agreement reached by 50 attorneys general, includes provisions for enhanced data security measures and consumer protections. Vermont will receive $590,292.25 from this settlement.
The Federal Trade Commission also reached a parallel agreement with Marriott. "This case is a $52 million reminder that good data hygiene, such as data minimization, can protect not only consumers but also businesses that suffer a data breach," said Attorney General Clark. "Sloppy data security practices will not be tolerated."
Marriott acquired Starwood in 2016 and took control of its computer network the same year. However, from July 2014 to September 2018, intruders accessed the network undetected, compromising 131.5 million guest records in the United States. The breach exposed contact information, gender, dates of birth, reservation details, and some unencrypted passport numbers and payment card information.
Following the announcement of the breach, attorneys general launched an investigation into Marriott's practices. The settlement addresses allegations that Marriott violated Vermont’s Consumer Protection Act and Security Breach Notification Act by failing to implement adequate security measures.
Under the terms of the settlement, Marriott is required to improve its cybersecurity practices using a risk-based approach. This includes conducting annual enterprise-level risk assessments and ongoing analyses for changes to security controls focusing on potential harm to consumers.
Additionally, Marriott must offer specific consumer protections such as multi-factor authentication for loyalty accounts like Marriott Bonvoy and provide options for data deletion even if not mandated by state law.