Marriott International, Inc. (NASDAQ: MAR, “Marriott”) has reached final resolutions with the Federal Trade Commission (FTC) and 49 U.S. State Attorneys General and the District of Columbia in relation to the 2018 Starwood Hotels and Resorts Worldwide guest reservations database security incident. The resolution with the State Attorneys General includes an agreement to pay $52 million. As indicated in the agreements with the FTC and the State Attorneys General, Marriott makes no admission of liability with respect to the underlying allegations.
As part of the resolutions with the FTC and the State Attorneys General, Marriott will continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress. For example, Marriott is offering U.S. customers a process to request deletion of their personal information, offering an online portal for Marriott Bonvoy® members to report potentially suspicious loyalty account activity, and implementing a multi-factor authentication option for Marriott Bonvoy® accounts.
Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.
