In a significant move for consumer protection, Marriott International, Inc. has reached a $52 million multistate settlement over a massive data breach that compromised millions of guests' personal information. As reported by the Governor's Office, this resolution concludes the joint efforts of 50 attorneys general and the Federal Trade Commission after a prolonged multiyear breach of the Starwood guest reservation database.
A staggering 131.5 million guest records, hailing from the U.S., were affected, exposing sensitive data like contact information, gender, dates of birth, passport numbers, and payment card details. Barely detected until September 2018, the intruders operated undetected, following Marriott's acquisition of Starwood in 2016.
The investigation unearthed that Marriott may have dropped the ball on data security and failed to act quickly to mend the deficiencies, especially during the Starwood network integration. "When companies choose to collect and store consumer data, they must take steps to secure it," Mana Moriarty, Executive Director of the Office of Consumer Protection, emphasized in a statement. Moriarty also assured that businesses would be held accountable in such instances of negligence, as per the Governor's Office.
Under the terms of the settlement, Marriott has committed to implementing a robust Information Security Program with stipulations like employing a zero-trust approach to security, mandating regular reporting to its Chief Executive Officer and higher company echelons, and improving employee training on data handling and security. To guard against future intrusions, Marriott has agreed to execute regular assessments and address risks promptly, always with the criteria of "harm to others" in mind, as reported by the Governor's Office.
Marriott is now also tasked with providing certain consumer protections including a data deletion option and offering multifactor authentication for loyalty accounts, with vigilant reviews for suspicious activities. Notably, the conglomerate must now embark on rigorous oversight over vendors and franchisees, laying out stringent contracts especially with cloud providers. Should Marriott take over another entity, the company is required to thoroughly assess and mend any security gaps before assimilation into its network.
With co-leaders Connecticut, Maryland, and Oregon, and the District of Columbia spearheading this multistate investigation, a substantial collective of states joined in the effort, demonstrating a shared resolve to safeguard consumer data. As cybersecurity increasingly becomes a pivotal concern, the settlement with Marriott marks a pivotal move towards more stringent corporate responsibility in the realm of personal data protection.
