Attorney General Jonathan Skrmetti has announced a $52 million settlement involving Marriott International, Inc. following an investigation into a significant data breach of its guest reservation database. This agreement involves a coalition of 50 Attorneys General and the Federal Trade Commission, which also reached a parallel settlement with Marriott.
Under the terms of the settlement, Marriott is required to enhance its data security practices by adopting a dynamic risk-based approach and offering certain consumer protections. Additionally, Marriott will make a $52 million payment to the states involved in the settlement, with Tennessee receiving $919,043.
“When Tennesseans submit their personal information to a company, they expect that to stay private,” said Tennessee Attorney General Jonathan Skrmetti. “A breach of this magnitude is not just a violation of privacy; it’s a violation of trust."
The breach affected 131.5 million guest records in the United States between July 2014 and September 2018. The compromised information included contact details, gender, dates of birth, reservation information, hotel preferences, some unencrypted passport numbers, and unexpired payment card data.
The multi-state investigation alleged that Marriott violated various state laws by failing to implement adequate data security measures when integrating Starwood's systems after acquiring it in 2016.
Marriott has agreed to several cybersecurity improvements as part of the settlement:
- Implementing an Information Security Program incorporating zero-trust principles.
- Enhancing employee training on data handling.
- Establishing data minimization and disposal requirements.
- Strengthening security for consumer data through encryption and intrusion detection.
- Increasing oversight on vendors and franchisees.
- Conducting independent third-party assessments every two years for 20 years.
Consumers will receive specific protections under this agreement, including options for data deletion and multi-factor authentication for loyalty accounts like Marriott Bonvoy.
States joining Tennessee in this settlement include Alaska, Alabama's Executive Committee, Arkansas, Arizona, California, Colorado, Connecticut (which worked closely with Tennessee), Delaware, District of Columbia among others across the nation.