Attorney General Andrea Joy Campbell announced a multistate settlement with Marriott International, Inc. following an investigation into a large multi-year data breach of one of the hotel’s guest reservation databases, impacting more than 130 million guest records nationwide. The Federal Trade Commission (FTC), which has been coordinating closely with the states throughout this investigation, has reached a parallel settlement with Marriott. Under the settlement with the attorneys general, which is subject to court approval, Marriott has agreed to strengthen its data security practices, provide certain consumer protections, and make a $52 million payment to the states. Massachusetts will receive $1.6 million from the settlement.
“Consumers should have an expectation that their private information and data will be protected,” said AG Campbell. “I am extremely proud of this settlement, which serves as a reminder that companies are obligated to take steps to protect personal and private consumer data from being exploited or shared.”
Marriott acquired Starwood Hotels & Resorts Worldwide in 2016 and took control of the Starwood computer network. However, from July 2014 through September 2018, intruders entered the Starwood system, remained undetected, and ultimately accessed 131.5 million guest records pertaining to customers in the United States. The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
Shortly after the breach of the Starwood database was announced, a coalition of 50 attorneys general launched a multi-state investigation into the breach. Today’s settlement resolves allegations by the attorneys general that Marriott violated state consumer protection and personal information protection laws and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.
Under the terms of the settlement, which is pending court approval, Marriott will strengthen its cybersecurity practices. Some of the specific measures include:
- Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security;
- Data minimization and disposal requirements, which will lead to less consumer data being collected and retained;
- Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network;
- Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers;
- In the future, if Marriott acquires another entity, it must further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network; and
- An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.
As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.
This matter was handled by Deputy Chief Mychii Snape of the AGO’s Public Protection and Advocacy Bureau and Chief Jared Rinehimer and Assistant Attorney General Camy Ruck, both of the AGO’s Privacy and Responsible Technology Division.
AG Campbell’s Privacy and Responsible Technology Division (PRTD), which had a leading role in this resolution, was recently renamed from the Data Privacy and Security Division to better reflect the scope of the work done by the Division. In addition to enforcing state laws related to consumer data privacy and security, PRTD also works with staff from across the Office to investigate and curb dangers associated with modern technology.
Massachusetts co-led the multistate investigation alongside the attorneys general from Connecticut, the District of Columbia, Illinois, Louisiana, Maryland, North Carolina, Oregon, and Texas. They were assisted by the Executive Committee of Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania, and Vermont, and joined by Alaska, Colorado, Delaware, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Mexico, North Dakota, Oklahoma, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.
Original source can be found here.