In the News

Marriott Inks $52M Deal with States Over Guest Data Breach

Law360

October 9, 2024

Marriott International Inc. has agreed to pay $52 million to nearly every U.S. state and bolster its data security practices to resolve parallel investigations by state attorneys general and the Federal Trade Commission over a massive data breach at the hotel’s Starwood-branded properties.

A coalition of attorneys general from the District of Columbia and every state except California announced Wednesday that they had reached a deal with Marriott to settle claims that the hotel chain had violated various state consumer protection laws, personal information protection obligations and breach notification statutes by failing to implement reasonable data security practices and remediate data security deficiencies when attempting to use and integrate Starwood into its systems following Marriott’s acquisition of the brand in 2016.

Hackers had infiltrated Starwood’s computer system in July 2014 and remained there undetected until September 2018, leading to the breach of records containing contact information, dates of birth, reservation information and a limited number of unencrypted passport numbers and unexpired payment card information belonging to roughly 131.5 million Starwood guests, according to the attorneys general.

. . .

In addition to the settlements announced Wednesday, Marriott is also facing multidistrict consumer litigation over the Starwood data breach that was the focus of the state attorneys general case.

A Maryland district court in December reinstated certification for eight classes of potentially hundreds of millions of customers who accuse Marriott and its information technology provider Accenture LLC of failing to take reasonable steps to protect personal information exposed in the Starwood data breach, on the heels of the Fourth Circuit last year vacating an earlier district court order certifying these classes.

Marriott has again appealed the dispute to the Fourth Circuit, arguing that the terms in its customer agreements would have prevented plaintiffs from bringing the action entirely.

Amy Keller of DiCello Levitt LLP, James J. Pizzirusso of Hausfeld LLP and Andrew Friedman of Cohen Milstein Sellers & Toll PLLC, who are co-lead counsel in the case, stressed in a statement provided to Law360 that Marriott’s settlement with regulators doesn’t resolve the long-running MDL.

“We also recently uncovered that Marriott’s representations to consumers and the public concerning encryption of the stolen data were patently false, leading to a court order requiring Marriott to correct statements on its website.

“We will continue to prosecute this case until we achieve justice for the individuals victimized by Marriott’s false data security promises and recklessness,” they said.

Read Marriott Inks $52M Deal with States Over Guest Data Breach.