Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed sit amet pretium nunc. Duis sed quam lectus. Pellentesque at pretium mi. Sed vel metus est123.

Attorney General Griffin Announces Settlement with Marriott International, Inc. for Data Breach

Griffin: ‘I remain committed to holding companies accountable for data breaches while encouraging Arkansans to be vigilant and protect their personal information and passwords’

LITTLE ROCK – Attorney General Tim Griffin today issued the following statement announcing Arkansas will receive $804,965 as part of a settlement between Marriott International, Inc. and a coalition of 50 attorneys general for a large multi-year data breach:

“With Cybersecurity Awareness Month in full swing, this settlement is yet another reminder how widespread data breaches are, and how many lives they touch—including the lives of those who travel for business, visit family, or vacation. I remain committed to holding companies accountable for data breaches while encouraging Arkansans to be vigilant and protect their personal information and passwords.”

Under the settlement with the attorneys general, Marriott has agreed to strengthen its data security practices using a dynamic risk-based approach, provide certain consumer protections, and pay $52 million to states.

Marriott acquired Starwood Hotels and Resorts Worldwide, LLC in 2016 and took control of the Starwood computer network in 2016. However, from July 2014 until September 2018, intruders in the system went undetected. This led to the breach of 131.5 million guest records pertaining to customers in the United States. The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.

Today’s settlement resolves allegations that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.

Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices. Some of the specific measures include:

  • Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
  • Data minimization and disposal requirements, which will lead to less consumer data being collected and retained.
  • Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
  • Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
  • In the future, if Marriott acquires another entity, it must timely further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
  • An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.

These settlement terms are grounded in a well-developed risk-based approach in which Marriott not only needs to conduct an annual enterprise level risk assessment, but it must also perform risk analyses throughout the year for changes to security controls. Those ongoing risk assessments must address the criteria of “harm to others” – which would include potential harm to consumers.

As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.

Connecticut, Maryland, Oregon, the District of Columbia, Illinois, Louisiana, Massachusetts, North Carolina, and Texas co-led the multistate investigation, assisted by the Executive Committee of Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania, and Vermont, and joined by Alaska, Colorado, Delaware, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Mexico, North Dakota, Oklahoma, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

For a copy of the complaint, click here.

For a copy of the consent judgment, click here.

For a printer-friendly version of this release, click here.

About Attorney General Tim Griffin

Tim Griffin was sworn in as the 57th Attorney General of Arkansas on January 10, 2023, having previously served as the state’s 20th Lieutenant Governor from 2015-2023. From 2011-2015, Griffin served as the 24th representative of Arkansas’s Second Congressional District, where he served on the House Committee on Ways and Means, House Armed Services Committee, House Committee on Foreign Affairs, House Committee on Ethics and House Committee on the Judiciary while also serving as a Deputy Whip for the Majority.

Griffin has served as an officer in the U.S. Army Reserve Judge Advocate General’s (JAG) Corps for more than 28 years and currently holds the rank of colonel. In 2005, Griffin was mobilized to active duty as an Army prosecutor at Fort Campbell, Kentucky, and served with the 101st Airborne Division (Air Assault) in Mosul, Iraq.

He is currently serving as the Commander of the 2d Legal Operations Detachment in New Orleans, Louisiana. His previous assignments include serving as the Commander of the 134th Legal Operations Detachment at Fort Liberty (née Bragg), North Carolina, and as a Senior Legislative Advisor to the Under Secretary of Defense for Personnel and Readiness at the Pentagon. Griffin earned a master’s degree in strategic studies as a Distinguished Honor Graduate from the U.S. Army War College, Carlisle Barracks, Pennsylvania.

Griffin also served as U.S. Attorney for the Eastern District of Arkansas, and Special Assistant to the President and Deputy Director of Political Affairs for President George W. Bush; Special Assistant to Assistant Attorney General Michael Chertoff, Criminal Division, U.S. Department of Justice; Special Assistant U.S. Attorney, U.S. Attorney’s Office, Eastern District of Arkansas; Senior Investigative Counsel, Government Reform and Oversight Committee, U.S. House of Representatives; and Associate Independent Counsel, Office of Independent Counsel David M. Barrett, In re: HUD Secretary Henry Cisneros.

Griffin is a graduate of Magnolia High School, Hendrix College in Conway, and Tulane Law School in New Orleans. He attended graduate school at Oxford University. He is admitted to practice law in Arkansas (active) and Louisiana (inactive). Griffin lives in Little Rock with his wife, Elizabeth, a Camden native, and their three children.

###