Connect with us

Local News

Following a significant data breach, Marriott will pay Arkansas over $800,000

Published

on

Little Rock, Arkansas – Arkansas will get more than $800,000 as part of a settlement between Marriott International, Inc. and a coalition of 50 attorney generals for a multi-year data breach, Attorney General Tim Griffin stated earlier today.

This follows a continuous data breach that affected 131.5 million guest records from Marriott between 2014 and 2018, including contact details, gender identification, dates of birth, reservation details, preferred hotel stays, passport numbers, and payment card information.

According to a release from Griffin, the settlement will safeguard Arkansans’ personal data going forward.

“This settlement serves as yet another reminder of the widespread nature of data breaches and the multitude of lives they affect, including those of individuals who travel for work, leisure, or family visits, especially as Cybersecurity Awareness Month draws to a close,” Griffin stated.
“I’m still determined to hold businesses responsible for data breaches, and I’m urging Arkansans to exercise caution and safeguard their passwords and personal information.”

Marriott must bolster its data security, implement more consumer safeguards, and pay states $52 million as part of the deal. Of this amount, $804,965 is slated to go to Arkansas.

Marriott is required by the settlement terms to improve its cybersecurity procedures, which include:

• Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
• Data minimization and disposal requirements, which will lead to less consumer data being collected and retained.
• Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
• Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
• In the future, if Marriott acquires another entity, it must assess the acquired entity’s information security program in a timely manner and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
• An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.

In addition, risk assessments at the enterprise level and ongoing risk assessments for modifications to security procedures are mandated of Marriott every year.

Consumers who presently do not have that right under state law will now have additional protections, such as the option to have their data deleted.

Additionally, Marriott needs to check the loyalty points accounts of its clients for unusual activity and provide multi-factor authentication.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertisement

Trending