HONOLULU (KHON2) — The Hawai‘i Department of Commerce and Consumer Affairs has announced that a group of 50 state attorneys general has settled with Marriott International, Inc.

This settlement is part of an investigation into a serious data breach affecting one of Marriott’s guest reservation systems.

The Federal Trade Commission (FTC) has also been involved and has reached a similar agreement with Marriott.

As part of the settlement with the attorneys general, Marriott will:

• Improve its data security practices.
• Provide certain protections for consumers.
• Pay $52 million to the states involved in the investigation. Hawai‘i will receive $438,045 from this payment.

Marriott bought Starwood in 2016 and took control of its computer network that same year. However, from July 2014 to September 2018, hackers accessed the system without being noticed.

This breach affected 131.5 million guest records, mainly from customers in the United States. The leaked information included:

• Contact details.
• Gender.
• Birth dates.
• Starwood Preferred Guest information.
• Reservation details.
• Hotel stay preferences.
• Some unencrypted passport numbers.
• Unexpired payment card information.

After the breach was made public, a group of 50 attorneys general started looking into it. Today’s settlement addresses claims that Marriott broke state consumer protection laws and failed to secure personal information properly.

They did not take reasonable steps to protect customer data, especially when integrating Starwood’s systems.

“When companies collect and keep consumer data, they must secure it,” said Mana Moriarty, Executive Director of the Office of Consumer Protection. “We will continue to hold businesses responsible for not doing this.”

Under the settlement, Marriott must improve its cybersecurity practices. Here are some specific measures they have to follow:

1. Create a strong Information Security Program: This includes new security rules like using zero-trust principles, regular security updates to top management, and better training for employees on data security.
2. Limit data collection and disposal: Marriott will collect less consumer data and dispose of it properly.
3. Enhance security for consumer data: This involves better measures like:
   • Securing systems to limit hackers’ movement.
   • Keeping track of what data they have.
   • Ensuring critical security updates are applied quickly.
   • Monitoring user access and activity.
4. Increase oversight of vendors: Marriott will pay special attention to “Critical IT Vendors” and have clear contracts with cloud service providers.
5. Assess new acquisitions: If Marriott buys another company, they must quickly evaluate that company’s data security and fix any problems before combining systems.
6. Independent assessments: Every two years for 20 years, an outside group will review Marriott’s security practices.

These terms are part of a thorough risk-based plan, where Marriott must check for risks not just once a year, but regularly. These checks will look at potential harm to consumers.

Additionally, as part of the settlement, Marriott will provide consumers with specific protections, including:

• A way to delete their data, even if the law doesn’t require it.
• Multifactor authentication for loyalty accounts like Marriott Bonvoy, which helps protect against unauthorized access.
• Reviews of loyalty accounts if there are signs of suspicious activity.

Connecticut, Maryland, and Oregon, along with the District of Columbia, led the investigation. They were supported by other states including Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania, Vermont, and many more.

This settlement is an important step in ensuring that companies protect consumer data and take responsibility when breaches happen.