By Brett Manchel
brett@jayaramlaw.com
Marriott’s recently acquired brand, Starwood Hotels & Resorts Worldwide, LLC, suffered a massive data breach starting in 2014, but only first publicized in December, 2018. Marriott states that customers’ names, addresses, phone numbers, email addresses, passport numbers, dates of birth, and gender of around 500,000,000 guests are exposed, as well as Starwood loyalty program account information and guest reservation information. Some of the exposed data includes guests’ encrypted credit card information as well, though it is not yet known (or publicized) whether the decryption keys for that information are also compromised. It is estimated that this data breach will cost the company $600 million. For Marriott, though, the good news is that the company has at least $350 million of cyber insurance that should cover a portion of this loss.
Scarier is the news that this data breach was the result of Chinese hackers, who also sought to steal data from health insurance and government offices in the United States. According to the New York Times, the goal of these Chinese cyber attacks is to gather as much personal information of Americans as possible. The importance of this data to the Chinese is not commercial; rather, it allows the government to follow individuals – and coupled with other stolen data (like health insurance records) will help the Chinese identify (or root out) intelligence agents and spies.
Legally, though, the circumstances of this breach highlight important issues. For one, Marriott only bought Starwood in 2016 – meaning the data breach existed for 2 years prior to the acquisition. This raises questions about due diligence especially with an eye towards cybersecurity and data protection. Additionally, in light of 2018’s new GDPR rules affecting the personal data of millions of European residents, and instituting strong punishments for violations, this large breach is bound to have a significant financial impact on Marriott.
Here’s the takeaway for our innovative clients – if you are collecting personal data on a large scale, you need to ensure three things from the beginning: First, you need to ensure that you have cyber-liability insurance. Second, you need to ensure you have the right security safeguards in place (like encrypting customer and payment information). Third, you need to ensure compliance with US state-specific privacy laws and the GDPR if you are collecting data from European residents. This can be accomplished with properly drafted Terms of Service and Privacy Policies. If you’ve got questions about the security you are using, and policies you have in place, let us know and we’ll make sure they are current and effective for your purposes.