In a separate settlement with the FTC, the hotel group also agreed to boost its security programme.
A US settlement involving 50 attorneys general will see Marriott International make a $52m payment for a data breach that took place over several years.
The settlement, co-led by Connecticut attorney general William Tong, will also see the hotel group strengthen its data security practices using a dynamic risk-based approach.
The settlement relates to a breach in which the company’s Starwood database was compromised. Though the breach was dated back to 2014, it was not discovered until November 2018.
The settlement marks the end of a multiyear investigation. As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law.
The hotel group must also offer multifactor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.
In a statement, Tong said companies have an obligation to take reasonable measures to protect consumer data security, which Marriott “failed to do”.
“This 50-state settlement, co-led by Connecticut, forces a strong system of risk-based protections to guard against ever-evolving threats to cybersecurity,” he said. “We will continue to work closely with our multistate partners across the country to ensure companies are taking all reasonable precautions to protect our personal information.”
In a separate action, the US Federal Trade Commission (FTC) has reached a settlement with Marriott and its subsidiary Starwood Hotels to resolve similar data security accusations, focusing on three large data breaches between 2014 and 2020.
According to the FTC, these three breaches combined impacted more than 344m customers worldwide. The settlement requires Marriott to implement a robust information security programme to settle charges that the companies’ failure to implement reasonable data security led to the data breaches.
As well as the multiyear breach in connection with the $52m settlement, the FTC also refers to another breach from 2014, which involved payment card information of more than 40,000 Starwood customers. The breach went undetected for 14 months until Starwood notified customers in November 2015.
A third breach was uncovered in 2020, having gone on undetected since 2018. In this case, malicious actors accessed 5.2m guest records worldwide, including names, mailing addresses, email addresses, phone numbers, month and day of birth and loyalty account information.
To settle the FTC’s case, Marriott and Starwood have agreed to a proposed order that will require them to implement processes and checks that will help protect personal information, detect problems as they arise and fix any issues in a timely manner.
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said Marriott’s poor security practices led to the breaches affecting hundreds of millions of customers.
“The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.