Attorney General Hilgers announced that a coalition of 50 Attorneys General has reached a settlement with Marriott International, Inc. This follows an investigation into a significant data breach involving one of its guest reservation databases. The Federal Trade Commission, working closely with the states during this investigation, has also reached a parallel settlement with Marriott. Under the terms agreed upon with the Attorneys General, Marriott will enhance its data security practices using a dynamic risk-based approach, offer certain consumer protections, and pay $52 million to the states. Nebraska will receive $707,448 from this settlement.
Marriott acquired Starwood in 2016 and assumed control of the Starwood computer network that same year. However, intruders remained undetected in the system from July 2014 until September 2018. This breach affected 131.5 million guest records related to U.S. customers. Compromised records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation details, hotel stay preferences, and some unencrypted passport numbers and unexpired payment card information.
After the announcement of the Starwood database breach, a coalition of 50 Attorneys General initiated a multistate investigation into the incident. Today's settlement resolves claims by the Attorneys General that Marriott breached state consumer protection laws, personal information protection laws, and applicable breach notification laws by not implementing reasonable data security measures or addressing data security deficiencies when integrating Starwood into its systems.
As part of the settlement terms, Marriott has committed to enhancing and continuously improving its cybersecurity practices through various measures:
- Establishing a comprehensive Information Security Program that includes new overarching mandates like zero-trust principles and regular security reporting to top executives including the CEO.
- Implementing data minimization and disposal requirements to reduce consumer data collection and retention.
- Adhering to specific security requirements concerning consumer data such as encryption and timely application of critical security patches.
- Enhancing vendor and franchisee oversight with risk assessments for "Critical IT Vendors" and clear contracts with cloud providers.
- Conducting timely assessments of acquired entities' information security programs when integrating them into Marriott's network.
- Undergoing independent third-party assessments of its information security program every two years for 20 years.
These measures are based on a well-developed risk-based approach requiring annual enterprise-level risk assessments as well as ongoing analyses throughout the year for changes in security controls. These assessments must consider potential harm to consumers.
Additionally, Marriott will provide consumers specific protections such as a data deletion option even if state law does not require it. They must also offer multi-factor authentication for loyalty rewards accounts like Marriott Bonvoy along with reviews if suspicious activity is detected.
The multistate investigation was co-led by Connecticut, Maryland, Oregon; District of Columbia; Illinois; Louisiana; Massachusetts; North Carolina; Texas; assisted by an Executive Committee from Alabama; Arizona; Arkansas; Florida; Nebraska; New Jersey; New York; Ohio; Pennsylvania; Vermont joined by Alaska; Colorado; Delaware; Georgia; Hawaii; Idaho; Indiana Iowa Kansas Kentucky Maine Michigan Minnesota Mississippi Missouri Montana Nevada New Hampshire New Mexico North Dakota Oklahoma Rhode Island South Carolina South Dakota Tennessee Utah Virginia Washington West Virginia Wisconsin Wyoming.