Attorney General Liz Murrill has announced that Louisiana will receive $1,400,289 as part of a settlement with Marriott International, Inc. This is part of a larger $52 million settlement reached by a coalition of 50 Attorneys General following an investigation into a significant data breach involving Marriott's guest reservation database.
The Federal Trade Commission coordinated closely with the states during this investigation and reached a parallel settlement with Marriott. Under the agreement with the Attorneys General, Marriott has committed to enhancing its data security practices using a dynamic risk-based approach, offering certain consumer protections.
Marriott acquired Starwood in 2016 and took control of its computer network the same year. However, from July 2014 until September 2018, intruders went undetected in the system. This resulted in the breach of 131.5 million guest records related to U.S. customers. The compromised records included contact information, gender, dates of birth, legacy Starwood Preferred Guest details, reservation information, hotel stay preferences, and some unencrypted passport numbers and unexpired payment card information.
Following the announcement of the breach in Starwood's database, a coalition of 50 Attorneys General initiated a multi-state investigation. The settlement addresses allegations that Marriott violated state consumer protection laws and personal information protection laws by not implementing adequate data security measures or addressing deficiencies when integrating Starwood into its systems.
Under the settlement terms, Marriott will enhance its cybersecurity practices through various measures:
- Implementation of an Information Security Program incorporating zero-trust principles.
- Data minimization and disposal requirements.
- Specific security requirements for consumer data including encryption and intrusion detection.
- Increased oversight on vendors and franchisees.
- Assessments for acquired entities' information security programs post-acquisition.
- Independent third-party assessments every two years for twenty years.
These measures are based on a risk-based approach requiring annual enterprise-level risk assessments and ongoing analyses throughout the year.
Additionally, Marriott will provide consumers with specific protections such as a data deletion option even if not required by state law. It must also offer multi-factor authentication for loyalty rewards accounts like Marriott Bonvoy.
Connecticut, Maryland, Oregon along with several other states co-led this multistate investigation supported by an Executive Committee consisting of Alabama among others.