December 4, 2018
High-profile data breaches at Marriott International Inc. and Quora Inc. over the past week have upped the pressure for a sweeping U.S. privacy law to hold companies accountable for not securing data.
Privacy legislation gained traction in 2018 after Facebook Inc. and Alphabet Inc.'s Google faced privacy breaches that drew backlash from lawmakers and consumers. But the exposure of up to 500 million Marriott guests and 100 million users of Quora’s question-and-answer website have prompted calls for broad U.S. privacy rules, tech policy strategists told Bloomberg Law.
“Recent controversies around the privacy and security of consumer data has absolutely changed the dynamics on the Hill, and there is more energy and interest behind a federal data privacy law than I have seen in years,” Chan Park, who focuses on tech and privacy issues at public affairs firm Monument Policy Group, said. Park was general counsel for Senate Judiciary Ranking Member Dianne Feinstein (D-Calif.) and former chairman Patrick Leahy (D-Vt.).
Lawmakers have heard the call for legislation and will push for a privacy bill in 2019.
Sen. Roger Wicker (R-Miss.), the likely next chairman of the Senate Commerce, Science and Transportation Committee, said he will make privacy a priority after the recent string of breaches. Data breaches underscore “the importance of protecting consumers’ data and privacy—an issue I plan to prioritize in the next Congress,” Wicker said in an emailed statement.
The recent breaches rank as some of the largest in U.S. history, trailing the 2017 Yahoo Inc. data breach that impacted 3 billion users and was subject to congressional hearings. Former Yahoo CEO Marissa Mayer left the company following the revelations.
Quora said Dec. 3 in a statement that email addresses and encrypted passwords were compromised due to “unauthorized access to one of its systems by a malicious third party.” Quora made the discovery Nov. 30 and said it alerted law enforcement officials and an outside cybersecurity team.
Kelly Langmesser, spokeswoman for Quora, said in a Dec. 4 email that the company is focused on remediation.
Marriott announced Nov. 30 that about 327 million of its 500 million Starwood hotel guests may have had their passport numbers, email, credit, and payment card data stolen. Marriott said it discovered the breach Nov. 19, and learned during an internal investigation that there had been unauthorized access to the Starwood network since 2014, according to an SEC filing.
Marriott didn’t immediately respond to Bloomberg Law’s email requests for comment.
Massive data breaches aren’t new. Adult Friend Finder, Equifax, and eBay all have been the target of hackers, with hundreds of millions of accounts exposed. But the recent breaches highlight the need for strong U.S. privacy laws to hold companies accountable when they don’t secure consumer data, tech policy strategists said.
“These breaches exemplify problems in our current, lax privacy regime, and should spur lawmakers into passing strong legislation in 2019,” Eric Null, senior policy counsel at New America’s Open Technology Institute, said.