Attorney General Dave Yost | Facebook Website
Attorney General Dave Yost | Facebook Website
Ohio Attorney General Dave Yost, alongside 49 other attorneys general, has finalized a $52 million settlement with Marriott International Inc. This agreement concludes an investigation into a prolonged data breach involving the guest-reservation system acquired by Marriott.
The breach affected the personal information of approximately 131.5 million hotel guests. Compromised data included contact details, reservation data, and in some instances, unencrypted passport numbers and payment card information. The breach traces back to Marriott's acquisition of Starwood Hotels in 2016, although unauthorized access began as early as July 2014 and was not detected until September 2018.
“Marriott was supposed to be a trusted gatekeeper of millions of people’s personal information, but it failed,” stated Yost. “We’re holding the company accountable and ensuring they tools in place to prevent a repeat performance.”
As part of the settlement terms, Marriott is required to enhance its data-security measures and provide specific consumer protections. The company will pay $52 million to the states involved in the settlement, including over $1.5 million allocated to Ohio.
The investigation concluded that Marriott breached state consumer protection laws by neglecting reasonable security measures despite assurances about their security practices. Besides the financial penalty, Marriott has agreed to adopt more robust security protocols such as improved employee training and multifactor authentication for loyalty accounts like Marriott Bonvoy.
Further stipulations include:
- Data minimization and disposal: Limiting collection and retention of personal information.
- Enhanced security for new acquisitions: Assessing security practices when acquiring new companies.
- Third-party assessments for 20 years: Undergoing independent evaluations every two years for two decades.
Attorney General Yost emphasized that beyond financial repercussions, this settlement underscores the critical need for companies to prioritize consumer-data protection.
“Companies need to be proactive and diligent when it comes to safeguarding the public’s personal information.”