Attorney General Jennings Announces $52 Million Multistate Settlement with Marriott for Data Breach of Starwood Guest Reservation Database

Delaware Attorney General Kathy Jennings today announced that a coalition of 50 Attorneys General has reached a settlement with Marriott International, Inc. as the result of a multi-year data breach of one of its guest reservation databases. Under the settlement, Marriott has agreed to strengthen its data security practices using a dynamic risk-based approach, provide certain consumer protections, and make a $52 million payment to states. Delaware will receive nearly $400 thousand from the settlement. The data breach of the Starwood Guest Reservation Database occurred between 2014 and 2018, impacting 131.5 million guest records. The breach exposed personal details, including contact information, birth dates, passport numbers, and payment card information. The settlement requires Marriott to strengthen its cybersecurity practices, including implementing a comprehensive Information Security Program, improving vendor oversight, and performing independent security assessments every two years for 20 years. In addition, Marriott will offer consumers enhanced protections, such as multi-factor authentication and a data deletion option, even before new privacy laws take effect in 2025. The Federal Trade Commission also reached a parallel settlement with Marriott.