Marriott Announces Massive Data Breach
December 6, 2018
On November 30, Marriott announced that it experienced a massive data breach affecting 500 million customers over a four-year span. By the next business day after its announcement, Marriott faced at least a dozen putative class action lawsuits and at least two regulatory investigations.
How did this happen? In 2016, Marriott acquired rival hospitality giant Starwood Hotels. Despite conducting due diligence prior to the merger, no one detected the gaping hole in Starwood Hotels’ cybersecurity. As a result, hackers gained access to this database in 2014, before the merger, and continued to have access until Marriott discovered the breach in November of this year.
Marriott’s announcement has sparked outrage from consumers, shareholders, courts, and legislators alike, all of whom demand answers from Marriott. In the wake of more than a dozen lawsuits by customers and shareholders seeking hundreds of millions of dollars, as well as investigations by several states’ attorneys general and European regulators, Marriott has yet to comment on how the breach went undetected for so long. What is evident, however, is that Marriott did not do enough to protect its customers’ data.
Marriott is not alone. Many companies choose to overlook cybersecurity. Historically, this was not uncommon because the cost of a breach was often cheaper than the cost of instituting proper data security measures or diving deeper during due diligence. Watching the repercussions of Marriott’s breach unfold, it is clear that this is no longer the case. As Marriott begins living this business nightmare, there is a stronger push than ever toward stricter data protection regulations containing enforcement measures designed to make companies pay attention.
Fortunately for Marriott, it likely has the resources to survive the catastrophic financial and reputational harm of this data breach. However, many businesses could not survive a similar breach. With enforcement and scrutiny at an all-time high, the time for businesses to evaluate their data security practices is now.
The McNees Privacy & Data Security Group is equipped to help you evaluate your data security practices, comply with U.S. and international privacy laws, evaluate the data-security risk of acquisition targets, and respond appropriately when an incident occurs.
Sarah C. Dotzel practices in the Litigation and Privacy & Data Security Groups at McNees Wallace & Nurick LLC.
© 2018 McNees Wallace & Nurick LLC
McNees Privacy & Data Security Alert is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.