Marriott Announces Massive Data Breach

McNees Wallace & Nurick LLC
Contact
LinkedIn
Facebook
X
Send
Embed

On November 30, Marriott announced that it experienced a massive data breach affecting 500 million customers over a four-year span. By the next business day after its announcement, Marriott faced at least a dozen putative class action lawsuits and at least two regulatory investigations.

How did this happen? In 2016, Marriott acquired rival hospitality giant Starwood Hotels. Despite conducting due diligence prior to the merger, no one detected the gaping hole in Starwood Hotels’ cybersecurity. As a result, hackers gained access to this database in 2014, before the merger, and continued to have access until Marriott discovered the breach in November of this year.

Marriott’s announcement has sparked outrage from consumers, shareholders, courts, and legislators alike, all of whom demand answers from Marriott. In the wake of more than a dozen lawsuits by customers and shareholders seeking hundreds of millions of dollars, as well as investigations by several states’ attorneys general and European regulators, Marriott has yet to comment on how the breach went undetected for so long. What is evident, however, is that Marriott did not do enough to protect its customers’ data.

Marriott is not alone. Many companies choose to overlook cybersecurity. Historically, this was not uncommon because the cost of a breach was often cheaper than the cost of instituting proper data security measures or diving deeper during due diligence. Watching the repercussions of Marriott’s breach unfold, it is clear that this is no longer the case. As Marriott begins living this business nightmare, there is a stronger push than ever toward stricter data protection regulations containing enforcement measures designed to make companies pay attention.

Fortunately for Marriott, it likely has the resources to survive the catastrophic financial and reputational harm of this data breach. However, many businesses could not survive a similar breach. With enforcement and scrutiny at an all-time high, the time for businesses to evaluate their data security practices is now.

The McNees Privacy & Data Security Group is equipped to help you evaluate your data security practices, comply with U.S. and international privacy laws, evaluate the data-security risk of acquisition targets, and respond appropriately when an incident occurs.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McNees Wallace & Nurick LLC | Attorney Advertising

Written by:

McNees Wallace & Nurick LLC
McNees Wallace & Nurick LLC
Contact
more
less

McNees Wallace & Nurick LLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide