Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Marriott International Inc. may be hit with millions of dollars in state fines if the company failed to properly secure guests’ personal information, after revealing a hack that it said may have affected 500 million guests.
The Massachusetts, New York and Illinois state attorneys general quickly announced they would examine the hack. Connecticut George Jepsen (D) is also looking into the matter, a spokesman told Bloomberg Law.
A recent $148 million settlement Uber Technologies Inc. reached with attorneys general from all 50 states and the District of Columbia over a 2016 data breach shows states’ regulatory clout, privacy attorneys said.
“The single biggest exposure for Marriott domestically may be state attorney general enforcement action,” Paige Boshell, managing member and attorney at Privacy Counsel LLC, said. States can “act more quickly and exact greater fines than the Federal Trade Commission and coordinate with each other effectively for more comprehensive enforcement,” she said.
States could bring privacy enforcement under their consumer protection statues, data breach notification standards, and data security obligations.
More state attorneys general will likely join in to probe how Marriott handled the massive breach, privacy attorneys told Bloomberg Law. Depending on the sequence of events, Marriott could see large financial penalties and negative consumer sentiment following the state investigations, they said.
Marriott likely faces “substantial fines” from state attorneys general, Robert Braun, cybersecurity partner at Jeffer Mangels Butler & Mitchell LLP in Los Angeles, said. Massive data breaches “are the types of events that state regulators, for political reasons, are very happy to go after,” he said.
The cost of the state attorneys general probes may hurt Marriott’s bottom line, financial analysts said.
“The near-term impact of the data breach of the Marriott-owned Starwood guest reservation database includes direct costs associated with the investigation, as well as any litigation or liability that Marriott may have with respect to compromised data,” Pete Trombetta, a lodging analyst at Moody’s, told Bloomberg Law in an email.
Marriott didn’t immediately respond to a Bloomberg Law request for comment.
The breach, which Marriott revealed in a Nov. 30 SEC filing, hit reservation information on or before Sept. 10, 2018, the company said.
Marriott said in the filing that it discovered the breach Nov. 19, and learned during an internal investigation that there had been unauthorized access to the Starwood network since 2014.
Out of the company’s 500 million guests, about 327 million Starwood guests may have had their passport numbers, email, and other personal data taken, the company said. Credit and payment card data also may have been stolen.
A spokeswoman for New York Attorney General Barbara Underwood (D) has hinted that she isn’t happy with Marriott’s response to the breach. That likely means that Marriott won’t emerge from the New York investigation unscathed, privacy attorneys said.
“Under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet,” Amy Spitalnick, communications director for Underwood’s office, wrote on Twitter Nov. 30.
Illinois Attorney General Maura Healey (D) said in an emailed statement confirming her state’s probe into the Marriott breach that it “may have compromised the information of millions, and the public deserves to know how this happened.”
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)