Attorney General Dana Nessel | Official website
Attorney General Dana Nessel | Official website
Michigan Attorney General Dana Nessel announced a $52 million settlement with Marriott International, Inc. involving 50 Attorneys General. This agreement follows an investigation into a significant data breach of the Starwood guest reservation database. The Federal Trade Commission also reached a parallel settlement with Marriott.
Under the terms of the settlement, Marriott is required to enhance its data security practices and provide consumer protections. Michigan will receive $1,209,097 from this settlement.
"Companies we trust to handle our sensitive information must provide robust cyber security measures to protect consumers from breaches," said Nessel. "This settlement requires Marriott to enhance its security practices, promptly notify customers of incidents, and demonstrate an ongoing commitment to data protection."
The breach occurred between July 2014 and September 2018, affecting 131.5 million guest records in the United States. The compromised data included contact information, dates of birth, and some unencrypted passport numbers and payment card details.
Following the breach announcement, a coalition of Attorneys General launched an investigation into Marriott's compliance with state consumer protection laws and data security practices.
In recent months, Michigan has seen multiple data breaches affecting residents. Nessel has advocated for stronger consumer protection laws in Michigan and supports Senate Bills 888-892 that would require companies to notify the Department of Attorney General within 45 days after discovering a breach impacting over 100 individuals.
Marriott has agreed to implement several cybersecurity measures as part of the settlement:
- A comprehensive Information Security Program
- Data minimization and disposal requirements
- Specific security requirements for consumer data
- Increased vendor oversight
- Independent third-party assessments every two years
These measures are based on a risk-based approach that includes annual enterprise-level risk assessments.
Marriott will also offer consumers additional protections such as multi-factor authentication for loyalty accounts like Marriott Bonvoy.
Connecticut, Maryland, Oregon, along with other states and territories co-led the multistate investigation alongside Michigan.