Chicago – Attorney General Kwame Raoul, as part of a bipartisan coalition of 50 attorneys general, today has reached an agreement in principle with Marriott International Inc. as the result of an investigation into a large multiyear data breach of one of its guest reservation databases. Under the proposed settlement, Marriott has agreed to strengthen its data security practices, provide consumer protections and make a $52 million payment to states. Illinois was part of the coalition of states leading the investigation and will receive $2.1 million from the settlement. The Federal Trade Commission, which has been coordinating closely with the states throughout this investigation, has reached a parallel settlement with Marriott.
“Marriott’s reservation database contained a range of personal customer information, and its data breach affected numerous Illinoisans,” Raoul said. “Our investigations led to an agreement that includes meaningful reforms in the way guests’ data will be handled, protecting consumers from future exposure. These reforms are an important step in helping guests rest a little easier knowing that stronger measures will be in place.”
Marriott acquired Starwood in 2016 and took control of the Starwood computer network. From July 2014 until September 2018, intruders in the system went undetected. This led to the breach of around 131.5 million guest records pertaining to customers in the United States. The impacted records included contact information, gender, birthdates, legacy Starwood Preferred Guest information, reservation information and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information. Shortly after the Starwood database breach was announced, Raoul’s office, as part of the coalition of attorneys general, launched a multistate investigation into the breach.
If approved by a judge, the proposed settlement would resolve allegations by Raoul and the attorneys general that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.
Under the terms of the proposed settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices. Some of the specific measures include:
These terms are grounded in a well-developed risk-based approach in which Marriott will be required to conduct an annual enterprise-level risk assessment and perform risk analyses throughout the year for changes to security controls. Those ongoing risk assessments must address the criteria of “harm to others,” which would include potential harm to consumers.
As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, and reviews of those accounts if there is suspicious activity.
Illinois was joined by Connecticut, the District of Columbia, Louisiana, Maryland, Massachusetts, North Carolina, Oregon, and Texas in co-leading the multistate investigation, which was assisted by the Executive Committee made up of Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania and Vermont.
Alaska, Colorado, Delaware, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Mexico, North Dakota, Oklahoma, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia, Wisconsin and Wyoming were also part of the coalition that conducted the investigation and joined the settlement.
Chief Privacy Officer Matt Van Hise, Privacy Counsel Carolyn Friedman, and Assistant Attorneys General, William Dimas, Andrew Hong and Alan Williams handled the settlement for Raoul’s Consumer Fraud Bureau.