State of Delaware

10/10/2024 | Press release | Archived content

AG Jennings Announces $52 Million Multistate Settlement with Marriott for Data Breach


Attorney General Kathy Jennings today announced that a coalition of 50 Attorneys General has reached a settlement with Marriott International, Inc. as the result of a multi-year data breach of one of its guest reservation databases. Under the settlement, Marriott has agreed to strengthen its data security practices using a dynamic risk-based approach, provide certain consumer protections, and make a $52 million payment to states. Delaware will receive nearly $400 thousand from the settlement.
"Our unwavering commitment to holding companies accountable fortheir failure to adequately protect the personal information of Delawareans remains strong," said Attorney General Jennings. "Marriott's lack of reasonable security measures and the failure to address data security deficiencies during the acquisition of Starwood is deeply concerning, especially given that these issues went undetected foryears. This is simply unacceptable."
Marriott acquired Starwood in 2016 and took control of the Starwood computer network in 2016. However, from July 2014 until September 2018, intruders in the system went undetected. This led to the breach of 131.5 million guest records. The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
Today's settlement resolves allegations by the Attorneys General that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.
Under the terms of the settlement, Marriott has agreed to strengthen its cybersecurity practices, including by:
  • Implementation of a comprehensive Information Security Program.
  • Data minimization and disposal requirements.
  • Specific security requirements with respect to consumer data.
  • Increased vendor and franchisee oversight.
  • In the future, if Marriott acquires another entity, it must timely further assess the acquired entity's information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott's network.
  • An independent third-party assessment of Marriott's information security program every two years fora period of 20 years.
As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not yet have that right under the Delaware Personal Data Privacy Act, which goes into effect on January 1st, 2025. Marriott must offer multi-factor authentication to consumers fortheir loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.
The Federal Trade Commission, which has been coordinating with the states, has reached a parallel settlement with Marriott.