CHARLESTON, W.Va. — West Virginia Attorney General Patrick Morrisey announced Wednesday that a coalition of 50 attorneys general has reached a settlement with Marriott International Inc. following an investigation into a large multiyear data breach of one of its guest reservation databases.
Morrisey says the Federal Trade Commission, coordinating closely with the states throughout this investigation, has reached a parallel settlement with Marriott.
According to the settlement, Marriott has agreed to strengthen its data security practices using a dynamic risk-based approach, provide certain consumer protections, and pay states $52 million under the settlement with the coalition.
Officials say West Virginia will receive $472,693 from the settlement.
“Consumers should be confident that the company they’re dealing with is handling their personal information safely and securely,” Attorney General Morrisey said. “Breaches like this could have been prevented with proper security measures in place.”
It is reported that Marriott acquired Starwood in 2016 and took control of the Starwood computer network in 2016. However, from July 2014 until September 2018, intruders in the system went undetected.
According to officials, this led to the breach of 131.5 million guest records pertaining to customers in the United States.
The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
Officials say shortly after the breach of the Starwood database was announced, a coalition of 50 attorneys general launched a multistate investigation into the breach.
The settlement resolves allegations that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.
Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices. Some of the specific measures include:
- Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the CEO, and enhanced employee training on data handling and security.
- Data minimization and disposal requirements will lead to less consumer data being collected and retained.
- Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
- Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
- In the future, if Marriott acquires another entity, it must assess the acquired entity’s information security program in a timely manner and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
- For additional security oversight, Marriott’s information security program will be assessed by an independent third party every two years for 20 years.
These settlement terms are grounded in a well-developed risk-based approach in which Marriott not only needs to conduct an annual enterprise level risk assessment, but it must also perform risk analyses throughout the year for changes to security controls. Those ongoing risk assessments must address the criteria of “harm to others” – which would include potential harm to consumers.
As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law.
The settlement also states that Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, and review those accounts if suspicious activity exists.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. For the latest news, weather, sports, and streaming video, head to WTRF.
Local News
