GLOBAL REPORT—Marriott International’s announcement of a data breach at its Starwood-branded hotels dating back to 2014 has raised questions about the company’s legal responsibilities, particularly in light of the European Union’s new data privacy law.
Marriott announced on 30 November that it had discovered back in September a data breach of the reservation systems at legacy Starwood Hotels & Resorts Worldwide brands affecting up to 500 million guests.
Such incidents are not without precedent, but data breaches of hotel companies in the past have been at a smaller scale, said Sandy Garfinkel, attorney at Eckert Seamans and chairman of the firm’s data security and privacy group. For instance, Wyndham Worldwide reported a data breach of its central reservation system in 2008 and 2009, he said.
It’s not clear yet exactly what steps Marriott will take, but Garfinkel said he expects the company will provide its franchised hotels with instructions and a coordinated response plan.
Certainly, he said, every U.S. state will be involved, as data breach notification laws differ by state, and some state attorneys general may open investigations.
The EU’s General Data Protection Regulation is something else entirely, he said, and the supervisory authorities in Europe definitely will take an interest as well.
Data breaches like Starwood’s shine a spotlight on data security, said Scott Lyon, a partner at Michelman & Robinson and IT professional. The sheer scope of the incident—only a 2013 data breach of Yahoo affected more people—ensures it will draw the attention of regulators and legislators, he said.
In the U.S., most laws regarding cybersecurity and privacy have focused on the financial and medical industries, and everyone else tends to loosely fall under the Federal Trade Commission’s deceptive and unfair trade practices, Lyon said.
“Incidents like this start to drive states to bolster their existing data breach laws,” he said. “If there’s enough public pressure, it could cause federal legislation on this.”
In response to a request for comment, Marriott stated: “We believe we have complied with all applicable reporting obligations, including our obligations under GDPR.”
GDPR
The implications of the EU’s General Data Protection Regulation remain to be seen, Kristen Johns, partner at Waller Law, said. Because the data breach began before GDPR went into effect on 25 May 2018, it’s up in the air whether regulatory bodies will parse out the number and type of breaches that occurred before and after the data privacy law went into effect, she said.
From her understanding, Marriott appears to be in compliance with the GDPR, she said. Though the breach was first discovered in September, the company continued to investigate and so may not be in violation of a GDPR requirement to provide notice within 72 hours, she said.
The road ahead will be complicated because GDPR requirements are not necessarily consistent with those in U.S. federal and state laws, she said, adding that she expects this incident to set the tone for how regulators respond to data breaches in this new age of privacy.
“This is going to be the case that people watch because everything that happened before happened before 25 May,” she said. “This will be a good precedential case for how attorneys advise their clients.”
Due diligence and M&A disruption
Though he said he is not intimately familiar with Marriott’s acquisition of Starwood, Garfinkel said he’s sure it was a full-equity acquisition, which means that all assets and liabilities are included. Even though Marriott has kept Starwood as a separate, established brand, this all falls under Marriott, he said.
“One of the things I speak about to companies these days is the importance of cyber due diligence and assessing potential cyber liabilities ahead of a potential acquisition,” he said.
He acknowledged that, in this case, typical due diligence may not have caught the problem ahead of the acquisition.
“You can only do as careful of a job as possible, and there are still maybe things you don’t see because they’re too well hidden. That’s particularly true in issues of cyber concerns,” he said.
It’s too soon for outsiders to make any judgments concerning the cause of the breach, or speculate on what could have been done to detect or prevent it, Garfinkel said.
From an M&A standpoint, there are two ways companies can address this, Lyon said. One way is to involve a third-party to investigate the company that is being targeted for acquisition, and advise on the transaction. The other is to have the funds to cover the liability the seller is going to carry into the deal, he said.
“In my experience, I have not seen a cybersecurity audit in the M&A process,” he said.
Another potential weak spot is exposed in the integration, or lack of integration, of IT departments in a merged company, Lyon said.
Some companies decide that integrating IT departments will create friction, and so only tie them in as necessary to avoid disruption, he said.
“That’s how some of these old issues post-acquisition never get addressed, because no one saw the need to because there’s a business disruption to integrate it,” he said. “Now you’re not just managing one network but several networks with all different sorts of controls. It becomes sort of a circus.”
Regulators are going to look at post-acquisition controls to determine what companies do to manage the systems, he said. In cases in which individual networks are tied together, regulators will investigate whether there were sufficient resources to manage these networks, he said.
Owners and managers
Starwood-branded hotel owners and managers are probably learning about this breach at the same time as the rest of the world, Garfinkel said. He said he has had clients who are managers and franchisees asking what they should do, but he doesn’t believe anyone is in a position to answer yet.
“Marriott realizes the next steps,” he said. “They are being looked to by those other hotel companies, managers and franchisees for information and guidance.”
In the short-term, owners and managers want information—specifically they want to know what happened and how it affects their operations at the franchisee level, he said.
Source of attack
There is no information available yet about who is responsible for hacking into the Starwood system or how it happened.
When a company’s system is attacked like this, it’s usually one of two scenarios, Lyon said.
There’s standard identity theft, in which attackers look to take personal information and monetize it through things like credit card fraud, he said. If that was the case with this incident, it should have been detected sooner, he said.
In the other potential scenario, the attack originates from a nation state actor, he said. For example, a Russian intelligence team that wants to monitor where certain Ukrainian nationals are traveling would consider hotels a good source of information.
“A lot of nation states want to know where other nation states’ dignitaries and high-level officials are moving around the world,” he said.