(BIVN) – The State of Hawaiʻi is part of a $52 million, multistate settlement Marriott International, Inc., following the multiyear data breach of one of Starwood reservation databases. 

The Hawai‘i Department of Commerce and Consumer Affairs Office of Consumer Protection announced the settlement on Wednesday, saying the state will receive $438,045.00 from the agreement. 

Marriott will also strengthen its data security practices “using a dynamic risk-based approach”, and provide other consumer protections. 

The settlement involved a coalition of 50 attorneys general as well as Federal Trade Commission. From the Hawaiʻi DCCA:

Marriott acquired Starwood in 2016 and took control of the Starwood computer network within the same year. However, from July 2014 until September 2018, intruders in the system went undetected. This led to the breach of 131.5 million guest records pertaining to customers in the United States. The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.

Shortly after the breach of the Starwood database was announced, a coalition of 50 attorneys general launched a multistate investigation into the breach. Today’s settlement resolves allegations by the attorneys general that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach-notification laws by failing to implement reasonable data security measures and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.

“When companies choose to collect and store consumer data, they must take steps to secure it,” stated Executive Director of the Office of Consumer Protection, Mana Moriarty. “We will continue to hold businesses accountable for their failure to do so.”

The Hawaiʻi DCCA detailed some of the measures that Marriott will take under the terms of the settlement, including:

• of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
• Data minimization and disposal requirements, which will lead to less consumer data being collected and retained.
• Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
• Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
• In the future, if Marriott acquires another entity, it must timely further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
• An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.

According to the Hawaiʻi DCCA news release:

These settlement terms are grounded in a well-developed risk-based approach in which Marriott not only needs to conduct an annual enterprise level risk assessment, but it must also perform risk analyses throughout the year for changes to security controls. Those ongoing risk assessments must address the criteria of “harm to others” – which would include potential harm to consumers.

As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multifactor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.

Connecticut, Maryland, and Oregon as well as the District of Columbia, Illinois, Louisiana, Massachusetts, North Carolina, and Texas co-led the multistate investigation, assisted by the Executive Committee of Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania, and Vermont, and were joined by Alaska, Colorado, Delaware, Georgia, Hawai‘i, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Mexico, North Dakota, Oklahoma, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.