From Michigan Department of Attorney General <[email protected]>
Subject AG Nessel Announces $52 Million Multistate Settlement with Marriott for Data Breach of Starwood Guest Reservation Database
Date October 11, 2024 5:10 PM
  Links have been removed from this email. Learn more in the FAQ.
  Links have been removed from this email. Learn more in the FAQ.
Nessel Email Header




*FOR IMMEDIATE RELEASE:*

October 11, 2024




*Media Contact:
*Danny Wimmer <[email protected]>






*AG Nessel Announces $52 Million Multistate Settlement with Marriott for Data Breach of Starwood Guest Reservation Database*





*LANSING* – Michigan Attorney General Dana Nessel announced today that a coalition of 50 Attorneys General has reached a settlement with Marriott International, Inc. as the result of an investigation into a large multi-year data breach of one of its guest reservation databases. The Federal Trade Commission, which has been coordinating closely with the states throughout this investigation, has reached a parallel settlement with Marriott. Under the settlement with the Attorneys General, Marriott has agreed to strengthen its data security practices using a dynamic risk-based approach, provide certain consumer protections, and make a $52 million payment to states. Michigan will receive $1,209,097 from the settlement. 

"Companies we trust to handle our sensitive information must provide robust cyber security measures to protect consumers from breaches," Nessel said. "This settlement requires Marriott to enhance its security practices, promptly notify customers of incidents, and demonstrate an ongoing commitment to data protection. I will continue to work alongside my colleagues to hold corporations accountable for breaches that compromise personal information and advocate for stronger consumer protection laws in Michigan." 

Marriott acquired Starwood in 2016 and took control of the Starwood computer network in 2016. However, from July 2014 until September 2018, intruders in the system went undetected. This led to the breach of 131.5 million guest records pertaining to customers in the United States. The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.  

Shortly after the breach of the Starwood database was announced, a coalition of 50 Attorneys General launched a multi-state investigation into the breach. Today’s settlement resolves allegations by the Attorneys General that Marriott violated state consumer protection laws, breach notification laws, where applicable, and personal information protection laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems. 

Michigan has experienced a surge in data breaches. In recent months, Attorney General Nessel notified Michigan residents about two McLaren cyber attacks [ [link removed] ] affecting millions of patients. Similarly, the Attorney General shared resources following a Change Healthcare data breach that could impact up to a third of all Americans [ [link removed] ]. She has also issued consumer alerts and informed consumers of the Department of Attorney General’s Data Breaches: What to do Next [ [link removed] ] webpage after massive cyber attacks on AT&T [ [link removed] ] and Comcast/Xfinity [ [link removed] ].    

State law does not currently require companies who experience a data breach to share that information with the Department of Attorney General. The Department often learns about these data breaches through media reports. The AG strongly recommends the legislature – similar to many other states – pass Senate Bills 888-892 to strengthen Michigan law to require companies who experience a data breach to notify the Department of Attorney General without unreasonable delay, and no later than 45 days, after discovery of the breach when the breach impacts over 100 persons. This will allow the Attorney General to more quickly alert the public. Just this week, the Department testified before the Senate Committee on Finance, Insurance, and Consumer Protection in support of the legislative package [ [link removed] ]. 

Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices. Some of the specific measures include: 


* Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security. 

* Data minimization and disposal requirements, which will lead to less consumer data being collected and retained. 

* Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.   

* Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers. 

* In the future, if Marriott acquires another entity, it must timely further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network. 

* An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight. 

These settlement terms are grounded in a well-developed risk-based approach in which Marriott not only needs to conduct an annual enterprise level risk assessment, but it must also perform risk analyses throughout the year for changes to security controls. Those ongoing risk assessments must address the criteria of “harm to others” – which would include potential harm to consumers.   

As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.

Connecticut, Maryland, and Oregon as well as the District of Columbia, Illinois, Louisiana, Massachusetts, North Carolina, and Texas co-led the multistate investigation, assisted by the Executive Committee of Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania, and Vermont, and joined by Alaska, Colorado, Delaware, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Mexico, North Dakota, Oklahoma, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

### 

 

 






AG logo [ [link removed] ]





*Media Inquiries* <[email protected]>




*Latest Releases* [ [link removed] ]




*File a Complaint* [ [link removed] ]







________________________________________________________________________

Michigan Department of the Attorney General [ [link removed] ]   Questions?
  Contact Us [ [link removed] ]

STAY CONNECTED: Visit us on Twitter [ [link removed] ] Instagram logo [ [link removed] ] Visit us on Facebook [ [link removed] ] YouTube [ [link removed] ] Sign up for email updates [ [link removed] ]      

Bookmark and Share [ [link removed] ]

SUBSCRIBER SERVICES:
Manage Preferences [ [link removed] ]  | Help [ [link removed] ]

________________________________________________________________________

This email was sent to [email protected] using GovDelivery Communications Cloud on behalf of: Michigan Attorney General · G. Mennen Williams Building, 7th Floor · 525 W. Ottawa St., P.O. Box 30212 · Lansing, MI 48909 · 517-373-1100
Screenshot of the email generated on import

Message Analysis