Mercer Times

Attorney General Matthew J. Platkin and the Division of Consumer Affairs have announced a $52 million settlement with Marriott International, Inc., involving a coalition of 50 Attorneys General. This settlement resolves investigations into two significant data breaches, with New Jersey receiving over $1.3 million from the agreement.

"This settlement is another example of how New Jersey and other states are working together to hold corporations accountable for their failures to safeguard customer data," stated Attorney General Platkin. He added that companies must treat consumer data as carefully as other assets.

Cari Fais, Acting Director of the Division of Consumer Affairs, emphasized the importance of data privacy: "Consumers have the right to know that corporations take data privacy seriously and will protect their private information."

The States allege Marriott violated laws by misrepresenting its protection measures for consumers' personal information and failing to use adequate cybersecurity safeguards. The first breach occurred in 2014 when an unauthorized party accessed Starwood Hotels and Resorts Worldwide's guest reservation database. In 2016, after Marriott acquired Starwood, intruders continued undetected until 2018.

Marriott disclosed this breach on November 30, 2018. The forensic examination revealed several failures such as inadequate firewall controls and unencrypted payment card information stored outside secure environments.

Approximately 131.5 million Americans were affected by this breach, including more than 4.3 million New Jersey residents.

A second incident involved intruders compromising credentials at a Marriott-franchised property between September 2018 and December 2018 and again from January to February 2020. Over these periods, attackers accessed over 5.2 million guest records containing personal information.

The consent judgment was filed in Mercer County's Superior Court, Chancery Division. Besides financial penalties, Marriott agreed to improve cybersecurity practices significantly by implementing several measures:

- Employing a Chief Information Security Officer

- Creating a Board committee for oversight on security programs

- Implementing specific security requirements for consumer data

- Reporting security breaches

- Providing methods for consumers to request data deletion or review loyalty rewards

- Training employees on protecting personal information

- Conducting mandatory risk assessments during acquisitions

- Implementing integration plans ensuring compliance with security programs

Other jurisdictions joining the settlement include Alabama through Wyoming and the District of Columbia.

New Jersey's representation included Deputy Attorney General Mandy K. Wang under Section Chief Kashif T. Chand's supervision along with Assistant Section Chief Thomas Huynh within the Data Privacy & Cybersecurity Section at the Division of Law’s Affirmative Civil Enforcement Practice Group.

Investigator Aziza Salikhova from the Office of Consumer Protection conducted this investigation within New Jersey’s Division of Consumer Affairs.