In a move to tackle the severe fallout from one of its reservation system's multi-year data breaches, Marriott International, Inc. has settled to the tune of $52 million with a coalition of Attorneys General from 50 states. According to a statement obtained by the Michigan Department Attorney General, this settlement is a response to Marriott's considerable data breach incident, which involved unauthorized access of its guest reservation database initially belonging to Starwood Hotels and Resorts.
Michigan itself is slated to receive a bit over $1.2 million from the settlement. "Companies we trust to handle our sensitive information must provide robust cyber security measures to protect consumers from breaches," Nessel said. While spearheading improved cybersecurity, the hospitality giant has agreed to overhaul its data security strategies, and promptly inform customers about any potential future incidents. Having control of the Starwood computer network since 2016, Marriott grappled with undetected intruders from July 2014 until September 2018, exposing around 131.5 million guest records within the U.S., including sensitive personal and payment information, as detailed by Michigan Department of Attorney General.
In the wake of the Starwood database breach announcement, a multistate investigation was launched by the collective of Attorneys General, which uncovered the extent of the data security shortcomings Marriott faced. The settlement wraps up allegations that Marriott failed to adopt reasonable measures to protect as well as remedy data security deficiencies, particularly during their integration with Starwood’s systems. A part of the problem, extensive data breaches have been a critical issue in Michigan, with Attorney General Nessel recently drawing attention to multi-million patient-affecting cyber attacks on McLaren and a potential third of all Americans at risk due to a breach at Change Healthcare.
Future cybersecurity commitments from Marriott include a broad spectrum of initiatives, like instituting an Information Security Program and the implementation of stricter controls around consumer data. The program mandates security reporting to top officials, such as the Chief Executive Officer, and enhances employee training in data security. The company will also enforce data minimization and disposal to retain less consumer data. Ensuring a higher level of external review, an independent third party will assess Marriott’s information security program every two years for two decades.
Additional consumer-centric measures stemming from this settlement encompass multi-factor authentication options for loyalty program users and dedicated data deletion options, as reported by Michigan's press release. Leveraging a risk-based strategy, Marriott must persistently assess security risks and address any gaps, especially when contemplating future acquisitions. This comprehensive settlement was co-led by nine states, supported by the Executive Committee of ten states, and joined by a total of 50 states, aiming to amplify consumer protections against data breaches.
