Marriott Makes $52M Settlement with 50 State AGs over Data Breach

New York Attorney General Letitia James on Wednesday announced a $52 million multistate settlement with Marriott International Inc. over a year’s long data breach of one of its guest reservation databases.

According to a multistate investigation, one of Marriott’s subsidiaries, Starwood Hotels and Resorts Worldwide, had intruders in its system for four years without getting detected. That reportedly led to a data breach that affected 131.5 million customers nationwide.

The settlement with 50 attorneys general requires Marriott to overhaul and strengthen its data security to protect customers’ private information and pay $52 million in penalties.

A multistate investigation discovered that from July 2014 until September 2018 intruders accessed and stayed on Starwood’s databases undetected. The theft of datat impacted people nationwide and exposed personal information, including contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information, according to investigators.

Under the settlement, some measures Marriott must undertake to strengthen its cybersecurity practices include:

• An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years.
• Data minimization and disposal requirements that lead to less customer data being collected and retained.
• Implementation of a comprehensive information security program, including regular security reporting to the highest levels within the company.
• Increased vendor and franchisee oversight, with an emphasis on risk assessments for critical IT vendors, and clearly outlined contracts with cloud providers.
• If Marriott acquires another entity, it must promptly assess the acquired entity’s information security program and develop plans to address deficiencies as part of the integration into Marriott’s network.

The settlement also calls for Marriott to allow customers to delete their data stored with the hotel if they wish to. Marriott must also offer multi-factor authentication to customers for their loyalty rewards accounts, and conduct reviews of those accounts to ensure there is no suspicious activity.

The settlement includes the attorneys general of Alabama, Alaska, Arizona, Arkansas, Connecticut, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, Wyoming, Vermont and the District of Columbia.