Hawaii will receive more than $438,000 from a settlement with Marriott International, Inc., over a large, multiyear data breach of the Starwood guest reservation database, the state Department of Commerce and Consumers Office of Consumer Protection announced on Wednesday.
The overall $52 million settlement was agreed upon by Marriott and a coalition of 50 state attorneys general. It includes an agreement by Marriott to strengthen its data-security practices using a dynamic risk-based approach and provide additional consumer protections.
The Federal Trade Commission, which has been coordinating closely with the states throughout the investigation, reached a parallel settlement with Marriott.
Marriott acquired Starwood in 2016 and took control of the Starwood computer network the same year. However, according to an investigation by the coalition, from July 2014 until Sept. 2018, intruders in the system went undetected. This led to a breach of 131.5 million records for U.S. guests. The records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
The settlement resolves allegations by the attorneys general that Marriott violated state consumer protection laws, personal information protection laws, and breach-notification laws by failing to implement reasonable data security measures and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.
“When companies choose to collect and store consumer data, they must take steps to secure it,” stated Mana Moriarty, executive director of the Office of Consumer Protection. “We will continue to hold businesses accountable for their failure to do so.”
Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices, including:
Implementation of a comprehensive Information Security Program, to include new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company and enhanced employee training on data handling and security.
Data minimization and disposal requirements that reduce consumer data being collected and retained.
Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
Increased vendor and franchisee oversight, with a special emphasis on risk assessments for critical IT vendors and clearly outlined contracts with cloud providers.
Timely assessment of any future acquired entity’s information security program and development of plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.
As part of the settlement, Marriott will give consumers specific protections, including a data-deletion option, even if consumers do not currently have that right under state law. Marriott also must offer multifactor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.
Michael Tsai covers local and state politics for Spectrum News Hawaii. He can be reached at michael.tsai@charter.com.
