Arkansas Receives $800,000 Settlement from Marriott Data Breach
In a significant development for consumer protection, Arkansas Attorney General Tim Griffin announced today that the state will receive over $800,000 as part of a settlement with Marriott International, Inc. This settlement is the result of a coalition of 50 attorneys general addressing a multi-year data breach that compromised the personal information of millions of guests.
The Data Breach: A Massive Compromise
The breach, which occurred between 2014 and 2018, exposed a staggering 131.5 million guest records. This data included sensitive information such as contact details, gender identification, dates of birth, reservation specifics, hotel stay preferences, passport numbers, and payment card information. The scale of this breach highlights the vulnerabilities that can exist within large corporations, particularly those that handle vast amounts of personal data.
A Commitment to Protecting Arkansans
In his announcement, Attorney General Griffin emphasized the importance of this settlement in safeguarding the personal information of Arkansans. “With Cybersecurity Awareness Month in full swing, this settlement is yet another reminder of how widespread data breaches are, and how many lives they touch—including the lives of those who travel for business, visit family, or vacation,” Griffin stated. He reiterated his commitment to holding companies accountable for data breaches and urged Arkansans to remain vigilant in protecting their personal information and passwords.
Financial Implications of the Settlement
The settlement requires Marriott to pay a total of $52 million to the participating states, with Arkansas set to receive $804,965. This financial restitution is not only a punitive measure but also serves as a reminder to corporations about the importance of maintaining robust cybersecurity practices.
Strengthening Cybersecurity Measures
As part of the settlement, Marriott is mandated to enhance its data security protocols significantly. Key requirements include:
-
Implementation of a Comprehensive Information Security Program: This program will introduce new security mandates, including zero-trust principles, regular security reporting to top executives, and enhanced employee training on data handling and security.
-
Data Minimization and Disposal Requirements: Marriott will be required to limit the amount of consumer data collected and retained, reducing the risk of future breaches.
-
Specific Security Requirements: These include asset inventory, encryption, segmentation of systems to limit intruder movement, timely patch management, intrusion detection, user access controls, and comprehensive logging and monitoring.
-
Increased Vendor and Franchisee Oversight: Marriott must conduct risk assessments for critical IT vendors and ensure clear contracts with cloud service providers.
-
Independent Third-Party Assessments: An independent assessment of Marriott’s information security program will be conducted every two years for the next 20 years, ensuring ongoing oversight.
- Annual Risk Assessments: Marriott is also required to perform enterprise-level risk assessments annually and conduct ongoing risk analyses throughout the year.
New Consumer Protections
In addition to strengthening its cybersecurity practices, Marriott will provide new protections for customers. Notably, consumers will gain the right to request data deletion, even if such a right is not currently mandated by state law. Furthermore, Marriott will implement multi-factor authentication for loyalty rewards accounts and will actively monitor these accounts for suspicious activity.
Conclusion
The settlement with Marriott International serves as a crucial step in addressing the fallout from one of the largest data breaches in history. By holding the company accountable and mandating significant improvements in its cybersecurity practices, Attorney General Tim Griffin is not only protecting Arkansans but also setting a precedent for corporate responsibility in the digital age. As consumers, it is essential to remain vigilant and proactive in safeguarding our personal information, especially in an era where data breaches have become alarmingly common.
For more detailed information, you can access the full complaint here and the consent judgment here.