With the news breaking early this morning that up to 500 million Marriott customers have been victim of a data breach at the hotel giant's Starwood-brand properties going back as early as 2014, Attorney General Peter F. Kilmartin is sharing information on the breach and the steps Rhode Island consumers should take if they believe their information was compromised in the breach.
According to the company, for approximately 327 million of the 500 million customers, the data hacked included passport numbers, emails and mailing addresses. In addition, some credit card details may also have been taken.
Under Rhode Island's data breach statute (RIGL 11-49.3-4), companies that experience a data breach must take certain steps to notify affected consumers and must notify the Attorney General's Office should more than 500 Rhode Island resident be impacted.
Specifically, the statute reads:
In the event that more than five hundred (500) Rhode Island residents are to be notified, the municipal agency, state agency, or person shall notify the attorney general and the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Notification to the attorney general and the major credit reporting agencies shall be made without delaying notice to affected Rhode Island residents.
In addition, the statute requires notification to affected consumers to include:
d) The notification to individuals must include the following information to the extent known:
(1) A general and brief description of the incident, including how the security breach occurred and the number of affected individuals;
(2) The type of information that was subject to the breach;
(3) Date of breach, estimated date of breach, or the date range within which the breach occurred;
(4) Date that the breach was discovered;
(5) A clear and concise description of any remediation services offered to affected individuals including toll free numbers and websites to contact: (i) The credit reporting agencies; (ii) Remediation service providers; (iii) The attorney general; and
(6) A clear and concise description of the consumer's ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies.
As of now, the Attorney General's Office has not received notification from Marriott that more than 500 Rhode Island residents' information was compromised.
"Although we have not received notification from Marriott at this time, with a breach of this size and scope, it is highly likely that data from more than 500 Rhode Island residents may have been compromised," said Attorney General Peter Kilmartin. "While Marriott has publicly indicated they will contact impacted customers, I urge anyone who has stayed at one of the Starwood-brand hotel properties during the time frame of the breach to take immediate steps to protect themselves."
Marriott has set up a website (https://answers.kroll.com/) and a call center (877-273-9481) for consumers to get more information and to enroll in WebWatcher, which monitors internet sites where personal information is shared and generates an alert if evidence of your personal information is found.
Attorney General Kilmartin suggests consumers take additional steps to protect their identity and prevent scammers from gaining credit in their name, including putting a credit freeze on their credit accounts. Thanks to the advocacy of Attorney General Kilmartin, Rhode Island law now prohibits credit reporting agencies from charging consumers a fee for placing or lifting a credit freeze on their account.
After last year's massive Equifax data breach, Attorney General Kilmartin filed legislation prohibiting credit reporting agencies from charging consumers a fee for placing or lifting a credit freeze on accounts, regardless of age or if a consumer was a victim of identity theft. The measure became law earlier this year.