Attorney General Kwame Raoul, alongside a coalition of 50 attorneys general, has reached an agreement with Marriott International Inc. regarding a significant data breach of its guest reservation database. The settlement, which includes a $52 million payment to the states involved, aims to improve Marriott's data security practices and provide consumer protections. Illinois, one of the leading states in the investigation, will receive $2.1 million from this settlement.
Raoul commented on the situation, stating, “Marriott’s reservation database contained a range of personal customer information, and its data breach affected numerous Illinoisans.” He emphasized that the agreement would lead to "meaningful reforms" in how guest data is handled.
The breach occurred between July 2014 and September 2018 and involved around 131.5 million guest records in the United States. These records included contact details, gender, birthdates, and some unencrypted passport numbers and payment card information. The breach was discovered after Marriott acquired Starwood in 2016.
If approved by a judge, this settlement will address allegations that Marriott violated various state laws by not implementing adequate data security measures when integrating Starwood into its systems.
As part of the settlement terms, Marriott will enhance its cybersecurity practices through several initiatives:
- Implementation of a comprehensive Information Security Program.
- Data minimization and disposal requirements.
- Specific security measures for consumer data protection.
- Increased oversight of vendors and franchisees.
- Prompt assessment of acquired entities' information security programs.
- Biennial independent third-party assessments for two decades.
These measures are designed to ensure ongoing risk management focused on potential harm to consumers.
Consumers will also benefit from specific protections such as data deletion options and multi-factor authentication for loyalty accounts like Marriott Bonvoy.
The investigation was co-led by Illinois along with Connecticut, the District of Columbia, Louisiana, Maryland, Massachusetts, North Carolina, Oregon, and Texas. Additional support came from an Executive Committee comprising Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania and Vermont.
Other participating states include Alaska, Colorado, Delaware among others totaling fifty states in collaboration for this investigation. The Federal Trade Commission coordinated closely with these states throughout the process reaching a parallel settlement with Marriott.
Chief Privacy Officer Matt Van Hise along with other legal representatives managed this settlement for Raoul’s Consumer Fraud Bureau.