New Yorkers now have the option to delete their data stored with a major hotel chain after a multi-year data breach resulted in a multistate settlement .
Attorney General Letitia James announced Wednesday a $52 million settlement with Marriott International, Inc. over a four-year data breach of one of its guest reservation databases.
“When people book a hotel stay for travel or work, they shouldn’t have to worry that their personal data and credit card information will be stolen,” James said. “Marriott let cybercriminals live in its database for years and millions of people had their information stolen as a result. Protecting customers’ private information should be a top priority, not a last resort, for all companies."
Here's what to know.
What to know about the AG's claims
Starwood Hotels and Resorts Worldwide, one of Marriott's subsidiaries, had undetected intruders in its system for four years, according to the AG's investigation, which affected 131.5 million customers across the U.S., including millions of New Yorkers.
From July 2014 to September 2018, hackers unknowingly accessed and stayed on Starwood's databases, exposing contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, hotel stay preferences and a limited number of unencrypted passport numbers and unexpired payment card information. Marriott acquired Starwood in 2016.
Forty-eight other state Attorney Generals plus the District of Columbia are part of the settlement.
What this means for Marriott
As a result of the settlement, Marriott will need to "significantly strengthen and continually improve its cybersecurity practices" by enacting these measures:
- Independent third-party assessment of the company's information security program every two years for a period of 20 years.
- Data minimization and disposal requirements to ensure less customer data is collected and retained.
- Implementation of a comprehensive Information Security Program, including regular security reporting to the highest levels within the company and enhanced employee training on data handling and security.
- Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
- And if Marriott acquires another entity somewhere down the road, it must promptly assess the acquired entity’s information security program and develop plans to address deficiencies as part of the integration into Marriott’s network.
Marriott will also pay $52 million in penalties with $2.29 million going to the state of New York.
How $20M became $127M in two years: Hochul is fueling police surveillance technology in NY
What this means for New Yorkers
If you'd like to, Marriott customers can now delete their data stored by the hotel, according to the settlement.
Marriott is also required to offer multi-factor identification for its loyalty rewards accounts and to conduct reviews of the accounts to keep an eye out for suspicious activity.
Emily Barnes reports on consumer-related issues for the USA TODAY Network’s New York Connect Team, focusing on scam and recall-related topics. Follow her on Twitter and Instagram @byemilybarnes . Get in touch at ebarnes@gannett.com .
This article originally appeared on Rochester Democrat and Chronicle: Marriott data breach settlement: New Yorkers can delete their data stored with hotel chain
Local News
Comments / 0