Photo: DoublePHOTO studio/Shutterstock.com
The question for many companies isn’t a matter of if it will have a major cybersecurity incident, but when, many experts say. Marriott International Inc. learned that the hard way and last week announced that its customer database was the victim of a data breach in which someone gained access to the personal information of up to 500 million customers.
Experts say that the hotel’s in-house counsel, aside from beefing up their cybersecurity, need to be prepared to litigate class action suits from aggrieved customers and shareholders and answer questions from regulators, develop a plan for continued disclosure and make sure the investigation is completed as quickly and as thoroughly as possible.
Joseph P. Facciponti, a former federal prosecutor and white-collar defense partner at Murphy & McGonigle in New York, said that the in-house team at Marriott should prepare for questions from the several regulators who will want to know about why it took so long to report.
“Why did it take Marriott and Starwood take four years to discover this intrusion? Marriott says that the breach was detected on Sept. 8 of this year, but they later learned that it had been going on since 2014,” Facciponti explained.
“I think that is going to be a big question for regulators because having a reasonable cybersecurity program means having the means to be able to detect intrusions as they happen.”
There already have been class-action lawsuits filed against the hotel chain over the breach and New York Attorney General Barbara Underwood announced last week that she would be investigating the breach and alleged delay of disclosure.
Marriott may also be facing inquiry under the E.U.’s General Data Protection Regulation (GDPR) because under the GDPR, companies have 72 hours to disclose a breach once it is discovered.
Dimitri Sirota, the CEO and cofounder of BigID, a software company that helps companies protect personal information, said that in-house counsel should be thinking about how data privacy officers in the EU will want to react to the breach.
“I would think they’re exposed,” Sirota said. “It could have ramifications from the GDPR.”
Sirota said that he believes that the in-house team will be spending a significant amount of time dealing with the fallout from regulators.
Facciponti said that he is not sure if Marriott would have a cause of action against the former owners of Starwood. He said it would depend on whether there was any evidence that the former owners left something out about a known data breach during the acquisition.
In-house counsel will also need to investigate the possibility of any insider trading.
“If you go back to the Equifax breach, at least two employees have been indicted and charged civilly by the SEC for allegedly trading on material information related to the Equifax breach that they learned between the time the breach was discovered and when it was reported publicly,” Facciponti said.
The breach also serves as a reminder to turn over every stone while a company is in the due diligence process of an acquisition.
Jacey Kaps, a partner at Rumberger, Kirk & Caldwell in Miami, said that during acquisitions, he finds that during a merger and acquisition process companies tend to skip over data.
“That comes up a lot. I just reviewed documents for a client and there was nothing about data ownership. If that is an issue here it would not be a great surprise,” Kaps said.
Whether or not data ownership or cyber security issues came up during the purchase of Starwood in 2015 is unknown, and it is unclear if Marriott would have a cause of action against the former owners of Starwood.
“I’m not privy to whatever representations that Starwood’s management made to that breach. That would be very much a question of what was told by whom during the due diligence,” Facciponti said.
In the meantime, Marriott established a website and call center for those who think they might have been affected by the data breach at (info.starwoodhotels.com). The company said it would begin to contact customers effective Nov. 30. It also said it would provide internet monitoring and other services in some countries free of charge for a year. Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels and Starwood branded timeshare properties, according to the company.
Federal Data Privacy Legislation Is Likely Next Year, Tech Lawyers Say
NY AG Announces Probe of Marriott Data Breach and Its Failure to Report Incident
Marriott Guests, Both Lawyers, File First Class Action Over Data Breach
Photo: DoublePHOTO studio/Shutterstock.com