In a recent turn of events, Attorney General Raoul announced a multi-state settlement agreement with Marriott International Inc. over a prolonged data breach of the Starwood guest reservation database. This settlement follows a driven effort from a bipartisan coalition of 50 attorneys general and culminates in Marriott's commitment to pay $52 million in damages, improve its data security practices, and implement certain consumer protections. According to Illinois Attorney General's office, Illinois will receive $2.1 million as part of the settlement.
The investigation was set into motion after Marriott acquired the Starwood networks in 2016. Intruders had unauthorized access to approximately 131.5 million guest records between July 2014 and September 2018. The compromised data included a range of sensitive personal information. Raoul stated, "Marriott’s reservation database contained a range of personal customer information, and its data breach affected numerous Illinoisans." The reforms Marriott has agreed to are set to place a premium on customer data security going forward.
As reported by the Illinois Attorney General’s website, Marriott's proposed settlement encompasses an overhaul of their cybersecurity program. This includes adopting zero-trust principles, mandate regular security reporting, and reinforcing employee training specific to data security and handling. Moreover, it introduces stringent measures related to consumer data, like asset inventories, encryption, network segmentation, and robust intrusion detection systems. A significant component of the proposed settlement is the enhancement of Marriott’s efforts in data minimization and disposal, aimed at reducing the volume of consumer data collected and retained.
One of the key terms involves continuous improvement of Marriott's cybersecurity practices, which will be overseen by a third-party assessor every two years for the next two decades. This level of supervision is designed to ensure Marriott's adherence to data protection. Furthermore, Marriott is expected to provide consumers with specific protections. This includes data deletion options and the introduction of multi-factor authentication for loyalty rewards accounts. This initiative aims at bolstering consumer confidence and strengthening the integrity of personal information within the hospitality leader's systems.
A consortium of attorneys general was integral in this investigation, with Illinois joining Connecticut, the District of Columbia, Louisiana, Maryland, Massachusetts, North Carolina, Oregon, and Texas at the helm. Their collective effort, assisted by an additional group of states, underscores the broad concern posed by data breaches and the subsequent push for corporate responsibility in protecting consumer data. This settlement, if approved by a judge, is expected to hold Marriott accountable and set a precedent for data security in the hospitality industry.
Handling the settlement for Raoul's Consumer Fraud Bureau were Chief Privacy Officer Matt Van Hise, Privacy Counsel Carolyn Friedman, and Assistant Attorneys General William Dimas, Andrew Hong and Alan Williams, demonstrating the team effort required to reach this comprehensive resolution.
