Today Oregon Attorney General Ellen Rosenblum announced that a coalition of 50 states, led by Oregon along with eight other states, has reached a settlement with Marriott International, Inc. over a massive 4-year long data breach of its Starwood system databases. The Federal Trade Commission, which has coordinated closely with the states, has reached a parallel settlement with Marriott. Under the settlement with the Attorneys General, Marriott has agreed to strengthen its data security practices using a dynamic risk-based approach, provide certain consumer protections, and make a $52 million payment to the states.

As one of the lead states in the matter, Oregon will receive approximately $2.1 million from the settlement. The funds will go to supporting the Oregon Department of Justice’s investigative, consumer protection and consumer education efforts.

“Marriott failed to live up to basic data security protocols,” commented Attorney General Rosenblum. “After acquiring Starwood in 2016, had Marriott followed their own information security policies, at least two years of continued malware intrusion into the Starwood data systems could have been avoided. And far fewer than the 131,500,000 guest records that were exposed would have been impacted. This settlement, years in the making, forces Marriott to take responsibility for its data-protection failures and strengthen its cybersecurity measures going forward,” added AG Rosenblum.

Marriott acquired Starwood in 2016 and took control of the Starwood computer network that same year. However, from July 2014 until September 2018, intruders in the system went undetected. This led to the breach of 131.5 million guest records pertaining to customers in the United States, including approximately 1.6 million guest records registered in Oregon (though that number doesn’t necessarily reflect individual consumers, as there could be more than one record associated with a particular consumer.) The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.

Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices. These settlement terms are grounded in a well-developed risk-based approach in which Marriott not only needs to conduct an annual enterprise level risk assessment, but it must also perform risk analyses throughout the year for changes to security controls. Those ongoing risk assessments must address the criteria of “harm to others” – which would include potential harm to consumers. Some of the specific measures include:

Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.

Data minimization and disposal requirements, which will lead to less consumer data being collected and retained.

Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.

Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.

In the future, if Marriott acquires another entity, it must timely further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.

An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.

As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. ( Thanks to our new Oregon Consumer Privacy Law, Oregon does!) Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.

The settlement also places obligations on Marriott’s future corporate acquisitions. Though Starwood had experienced security breaches before Marriott acquired the company, after the acquisition closed, Marriott was aware that there were vulnerabilities in Starwood’s system, but they were left unaddressed for two years. Under the terms of the judgment, if/when Marriott acquires other entities in the future that have personal information, Marriott must assess that entity’s information security program timely and develop plans to address identified security deficiencies.

Connecticut, Maryland, and Oregon as well as the District of Columbia, Illinois, Louisiana, Massachusetts, North Carolina, and Texas co-led the multistate investigation, assisted by the Executive Committee of Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania, and Vermont.

AG Rosenblum commends the Oregon DOJ lawyers, led by Kristen Hilton, and other legal professionals who put their time and talent into securing this settlement.