The state of Hawai‘i Department of Commerce and Consumer Affairs Office of Consumer Protection has announced a settlement with Marriott International, Inc. regarding a significant data breach affecting the Starwood guest reservation database. This settlement is the result of an investigation conducted by a coalition of 50 attorneys general. The Federal Trade Commission also reached a parallel agreement with Marriott.
Under this agreement, Marriott will enhance its data security practices using a dynamic risk-based approach and provide certain consumer protections. Additionally, Marriott will pay $52 million to the states involved in the settlement. Hawai‘i will receive $438,045 from this amount.
The breach occurred between July 2014 and September 2018 when intruders accessed the Starwood computer network without detection. This led to unauthorized access to 131.5 million guest records, including contact information, gender, dates of birth, reservation details, hotel stay preferences, and some unencrypted passport numbers and payment card information.
Following the announcement of the breach in 2018, a multistate investigation was initiated by the attorneys general coalition. The investigation alleged that Marriott violated various state consumer protection laws by failing to implement adequate data security measures and address deficiencies while integrating Starwood into its systems.
Mana Moriarty, Executive Director of the Office of Consumer Protection stated: "When companies choose to collect and store consumer data, they must take steps to secure it. We will continue to hold businesses accountable for their failure to do so."
As part of the settlement terms, Marriott is required to strengthen its cybersecurity practices continually. Specific measures include conducting annual enterprise-level risk assessments as well as ongoing analyses throughout the year addressing potential harm to consumers.