Montgomery, AL – Alabama Attorney General Steve Marshall announced this week that a coalition of 50 Attorneys General has reached a settlement with Marriott International, Inc. following a multi-year investigation into a significant data breach of the company’s guest reservation database. The Federal Trade Commission (FTC), which coordinated closely with the states throughout the investigation, has also reached a parallel settlement with Marriott.
Under the terms of the settlement, Marriott has agreed to implement stronger data security practices and will pay $52 million to the states involved. Alabama will receive $973,468 from this settlement.
“Companies must prioritize the protection of consumer data,” said Attorney General Marshall. “Consumers are required to give away massive amounts of sensitive information just to book a hotel room, rent a car, or buy a plane ticket. In return, these companies must regularly assess and bolster their ability to protect their consumers’ information. Particularly in today’s challenging economic environment, consumers shouldn’t also have to worry about their personal information being compromised.”
The breach occurred after Marriott acquired Starwood in 2016, gaining control of the Starwood computer network. Intruders accessed the system from July 2014 to September 2018, leading to the exposure of 131.5 million guest records, including personal information such as contact details, gender, dates of birth, reservation information, hotel stay preferences, and a limited number of unencrypted passport numbers and unexpired payment card information.
In response to the breach, the coalition of Attorneys General initiated a multi-state investigation, which led to allegations that Marriott violated state consumer protection laws, personal information protection laws, and breach notification laws by failing to implement reasonable data security measures.
As part of the settlement, Marriott has committed to the following measures to enhance its cybersecurity practices:
- Establishment of a comprehensive Information Security Program, which includes adopting zero-trust principles, regular security reporting to the company’s highest levels, and improved employee training on data handling and security.
- Implementation of data minimization and disposal requirements to reduce the amount of consumer data collected and retained.
- Adopting specific security requirements for consumer data, including asset inventory, encryption, segmentation, timely patch management, intrusion detection, user access controls, and monitoring of file movement within the network.
- Enhanced oversight of vendors and franchisees, with a focus on risk assessments for critical IT vendors.
- Requirement for Marriott to assess the information security programs of any entities it acquires in the future to identify and address security gaps.
- An independent third-party assessment of Marriott’s information security program every two years for the next 20 years.
The settlement also provides consumers with protections such as a data deletion option, even if not currently required by state law, and the implementation of multi-factor authentication for loyalty rewards accounts, including Marriott Bonvoy.
The investigation was co-led by Attorneys General from Connecticut, Maryland, and Oregon, along with the District of Columbia and others. The coalition included Attorneys General from Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania, Vermont, and additional states across the nation.
The settlement aims to ensure that Marriott takes necessary steps to protect consumer data, enhancing the overall security of sensitive information in the hospitality industry.