Attorney General Clark Announces $590,000 Settlement with Marriott over Data Breach
Nationwide multistate settlement amounts to $52 Million
Attorney General Charity Clark announced today that a coalition of 50 attorneys general has reached a settlement with Marriott International, Inc. after an investigation into a large multi-year data breach of one of Marriott’s Starwood guest reservation databases. Under the settlement, Marriott has agreed to strengthen its data security practices using a dynamic risk-based approach, pay $52 million to states, and provide additional consumer protections. Vermont will receive $590,292.25 from the settlement. The Federal Trade Commission, which has been coordinating closely with the states throughout their investigation, has reached a parallel settlement with Marriott.
“This case is a $52 million reminder that good data hygiene, such as data minimization, can protect not only consumers but also businesses that suffer a data breach,” said Attorney General Clark. “Sloppy data security practices will not be tolerated.”
Marriott acquired Starwood in 2016 and took control of the Starwood computer network in 2016. From July 2014 until September 2018, intruders into this computer network went undetected. This failure led to the breach of 131.5 million guest records pertaining to customers in the United States. The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
Shortly after the breach of the Starwood database was announced, a coalition of 50 attorneys general launched a multi-state investigation into the breach. Today’s settlement resolves allegations by Attorney General Clark that Marriott violated Vermont’s Consumer Protection Act and Security Breach Notification Act by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.
Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices. Some of the specific measures include:
- Implementation of a comprehensive Information Security Program. This includes new overarching security measures, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security. • Data minimization and disposal requirements, which will lead to less consumer data being collected and retained – and, therefore, vulnerable in the event of a breach.
- Specific security requirements with respect to consumer data, including strengthening the company’s security networks, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
- Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors” that have direct access to company assets and databases, and clearly outlined contracts with cloud providers.
- In the future, should Marriott acquire another entity, it must timely assess the acquired entity’s data security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
- An independent third-party assessment of Marriott’s data security program every two years for a period of 20 years for additional security oversight.
These settlement terms are grounded in a well-developed risk-based approach in which Marriott not only needs to conduct an annual enterprise-level risk assessment, but it must also perform risk analyses throughout the year for changes to security controls. Those ongoing risk assessments must address the criteria of “harm to others” – which would include potential harm to consumers.
As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.
A copy of the settlement is available here.