10/09/2024 | Press release | Distributed by Public on 10/09/2024 10:05
Commonwealth of Virginia
Office of the Attorney General
Jason S. Miyares
Attorney General
202 North 9th Street
Richmond, Virginia 23219
804-786-2071
FAX 804-786-1991
Virginia Relay Service
800-828-1120
For media inquiries only, contact:
Shaun Kenney
This email address is being protected from spambots. You need JavaScript enabled to view it.
Attorney General Miyares Announces $52 Million Multistate Settlement with Marriott for Data Breach of Starwood Guest Reservation Database
RICHMOND, VA - Attorney General Jason Miyares announced today that a coalition of 50 Attorneys General has reached a settlement with Marriott International, Inc. as the result of an investigation into a large multi-year data breach of one of its guest reservation databases. Under the settlement with the Attorneys General, Marriott has agreed to strengthening its data security practices using a dynamic risk-based approach, provide certain consumer protections, and make a $52 million payment to states. Virginia will receive $1,076,183 from the settlement.
"Businesses that collect sensitive data from consumers have a duty to safeguard it and prevent access by unauthorized parties," Attorney General Miyares said. "I am pleased that we were able to reach a fair and reasonable settlement to address the violations of law and restore consumers' confidence that their personal information is being adequately safeguarded."
Marriott acquired Starwood in 2016 and took control of the Starwood computer network in 2016. However, from July 2014 until September 2018, intruders in the system went undetected. This led to the breach of 131.5 million guest records pertaining to customers in the United States. The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
Shortly after the breach of the Starwood database was announced, a coalition of 50 Attorneys General launched a multi-state investigation into the breach. Today's settlement resolves allegations by the Attorneys General that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.
Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices. Some of the specific measures include:
These settlement terms are grounded in a well-developed risk-based approach in which Marriott not only needs to conduct an annual enterprise level risk assessment, but it must also perform risk analyses throughout the year for changes to security controls. Those ongoing risk assessments must address the criteria of "harm to others" - which would include potential harm to consumers.
As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.
Joining Attorney General Miyares in today's announcement are the attorneys general of Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, Wisconsin, and Wyoming. The Federal Trade Commission, which has been coordinating closely with the states throughout this investigation, has reached a parallel settlement with Marriott.
# # #