As Marriott International and Quora reel from data breaches, we discuss ways for companies to implement lessons learned and strengthen their cybersecurity.
As the saying goes: “It’s an ill wind that blows nobody any good.” This past week, Marriott International announced a massive breach of customer information involving 500 million customers. On Monday, Quora announced that a “malicious third party” had compromised the account information of 100 million users of the question-and-answer website.
The unauthorized access to Marriott’s data seems to have commenced around 2014. The scope of the breach has not been fully described, but it appears to reveal extensive data about the hotel group’s guests, including: personal and contact information, passport and driver’s license information, credit card information and other data stored in their customer databases. While this is certainly an ill wind for Marriott, we can use this opportunity to focus on lessons that other companies can learn from the event and incorporate into their own planning.
Breach issues and lessons
Marriott, Quora and other companies suffering a breach face a number of legal and regulatory consequences beyond the public relations and operational issues. Reviewing these issues will help future companies quantify the cost and put parameters around the impact of a breach on their organization. In addition, when the root cause is understood, Marriott and other companies can implement controls to reduce the risk that such a breach will happen again. They can also adjust the degree of training and resources devoted to security assessments and implementations. These consequences are explored in greater detail below.
Civil and regulatory claims
In terms of civil and regulatory action, this breach likely yields an opportunity to gauge how draconian regulators will be; as many have been signaling a growing intolerance for poorly-implemented cybersecurity programs. Because presumably a number of Marriott’s customers are European, regulators will likely want to address whether the information was adequately protected as required by the General Data Protection Regulation (GDPR). Notice could also be an issue, as that law requires reporting within 72 hours of discovering a breach. Beyond the European Union, a number of other nations, including the United States, are also looking to investigate this breach. The New York State Attorney General is also investigating whether her office was given timely notice of the breach, as is required following any breach that exposes information like social security numbers or driver’s license numbers of New York state residents. Ensuring the ability to provide timely notice should be a consideration for all organizations when evaluating their cybersecurity program and incident response plans.
In 2015, Wyndham Worldwide Corp. settled a claim involving three data breaches with the Federal Trade Commission involving 619,000 customers. That settlement did not involve any monetary payments or admissions of liability, but did obligate the company to comply with a consent order to protect credit card information for the next 20 years and be subject to audit and review. Wyndham vigorously fought the FTC’s jurisdiction; as a result, there are a number of reported decisions from the District and Court of Appeals establishing the jurisdiction of the Commission and its ability to judge the suitability of a company’s cybersecurity practices in relationship to its consumers. Given that these issues are now significantly more settled, one can expect to see some action from the FTC; and it is likely they will now seek a monetary fine. It is likely that beyond the actions of New York, other state regulators will also join the fray, as nearly all states have enacted data privacy laws. Beyond the real financial risks that Marriott faces, the number of investigations will certainly impede their operations and be costly to defend. Monitoring the effects of the investigations of Marriott will help other companies better execute their risk assessments and properly assign a scope to their security and privacy plans.
Individual claims and class action lawsuits
In addition to the regulatory claims, Marriott may also face individual claims. It is too soon to see if anyone is actually materially harmed by this breach. Given that the event occurred four years ago, it’s reasonable to expect that one would have had sufficient time to discover he or she has been a victim of a crime relating to the unauthorized use of the information. However, this information resides in a number of places; and a person might not think to attribute it to that hotel chain unless the breach was known or disclosed. One can imagine a number of people looking back over events to determine whether Marriott emerged as a common thread to their identify theft. This analysis will likely take place in the context of class action lawsuits. Whether or not these claims will ultimately succeed is an open question, and the hotel chain has a number of legal arguments to limit its exposure. Regardless of the ultimate outcome, it will still be a considerable legal and operational drag. Future companies analyzing their cybersecurity and privacy program should consider this when developing their plans.
Finally, Marriott will likely face a number of contractual claims. If payment card information was exposed, the banks will likely seek reimbursement to replace credit cards and cover any fraudulent charges. Marriott may also have a number of indemnity and data sharing agreements in place that could be implicated by this breach. Understanding this impact will help future companies assess the importance of ensuring their contracts do not expose them to unnecessary risk.
Importance of access controls
There will also be prospective lessons about the importance of controls. For example, Anthem, Inc. recently settled its cybersecurity breach with the Office of Civil Rights, which claimed that Anthem lacked adequate audit controls to detect a breach and prevent unauthorized access to HIPAA-protected databases. Here it appears that the database had been accessed for a number a years without detection. With time, we have an opportunity to learn about the importance of audit trails and their review to ensure only authorized individuals are accessing information systems for authorized purposes. We will also likely see some further analysis on access controls and continuous monitoring.
If your organization is considering a review of its cybersecurity program, consider reaching out to us to better understand and quantify the risks you might face. We can also work with your company to designate controls and policies to address and mitigate these risks, or discuss methods to transfer or avoid them. For more information, speak with your regular Harris Beach attorney or contact Alan Winchester at firstname.lastname@example.org or (212) 313-5403.