DES MOINES—Iowa Attorney General Brenna Bird today announced that a bipartisan coalition of 50 attorneys general has reached a settlement with Marriott International, resolving a years-long investigation into a data breach of its guest reservation database. The Federal Trade Commission reached a separate settlement with Marriott.
Marriott has agreed to strengthen its data security practices, offering its guests new protections, and paying a total of $52 million to the States. Iowa will receive $594,105 from the settlement. For years, intruders had undetected access to Marriott’s database that exposed 131.5 million guest records. These hacked records included contact information, gender, dates of birth, preferred guest information, reservation information, and hotel stay preferences, as well as some passport numbers and payment card information.
“No Iowans should have to fear that when they take a family vacation, their data will be exploited by hackers,” said Attorney General Bird. “This settlement holds Marriott accountable for exposing more than 131 million guest records, containing Americans’ personal data, and requires safeguards to ensure all future guests are protected.”
Fifty attorneys general launched an investigation into the breach. This settlement resolves the case made by attorneys general that Marriott violated state consumer protection laws, personal- information protection laws, and breach-notification laws by failing to implement proper security measures.
Marriott has agreed to the following measures to strengthen its cybersecurity practices:
- Implementation of an Information Security Program. This program includes incorporating zero-trust principles, mandating regular security reporting within the company, and enhancing employee training on data handling and security.
- Reduction of guest data being collected and retained.
- Addition of safeguards to detect and prevent hackers who attempt to infiltrate the network.
- Increase in oversight for vendors and franchisees, especially relating to IT, as well as more clearly outlining contracts with cloud providers.
- If Marriott acquires future entities, it must timely assess each entity’s security programs and develop plans to address any inadequacies.
- Third-party reviews of Marriott’s information security program every two years for a period of 20 years.
Iowa joined the Connecticut, District of Columbia, Illinois, Louisiana, Maryland, Massachusetts, North Carolina, Oregon, and Texas-led multistate investigation. They were joined by Alabama, Alaska, Arizona, Arkansas, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Kansas, Kentucky, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Dakota, New York, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.
Read the full settlement here.