Company Data Breaches Lead to Enforcement Actions
Contacting legal counsel as soon as possible following discovery of a data breach can increase a company’s ability to comply with various state and local laws. Recently, Marriott International announced that it had experienced a data breach comprising the personal data of over 500 million guests who made reservations through Starwood, a hotel chain recently acquired by Marriott. Marriott now faces at least three state enforcement investigations for failing to timely disclose the data breach and many class action lawsuits alleging that Marriott negligently protected customers’ data and did not adequately notify customers of the data breach.
Marriott International recently acquired Starwood Hotels & Resorts Worldwide, Inc. and has undertaken a rolling consolidation of the two companies’ data systems. On November 30, 2018, Marriott announced it had discovered a significant data breach in Starwood’s guest reservation database that compromised the personal data of over 500 million customers. Marriott estimates that for 327 million of those guests — roughly equivalent to the entire population of the United States — the compromised information included some combination of name, mailing address, phone number, email address, passport number, loyalty account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Encrypted credit card information of other guests was also compromised. To compensate the victims of this breach, MarketWatch reported that Marriott has agreed to pay for passport replacements if the company finds customers have been a victim of fraud.
This incident serves as a useful reminder that, in addition to reputational harm and remediation costs, data breaches expose companies to costly post-breach proceedings such as government enforcement actions and class action lawsuits. Attorneys general from at least three states — New York, Maryland, and Pennsylvania — have opened investigations into the Marriott data breach. It appears these investigations are focused on the timeliness of Marriott’s disclosure of the breach to state authorities. All fifty states have data breach notification laws. Some states, such as New York, require companies to disclose any breach of computerized data by notifying the state attorney general “in the most expedient time possible and without unreasonable delay.” N.Y. Gen. Bus. Law § 899-aa(2) (2018). The Hill reported that Marriott had not disclosed the data breach to the New York Attorney General as of November 30, 2018, despite a statement in Marriott’s press release saying the company was alerted to the breach on September 8, 2018. It remains to be seen what, if anything, will come from these enforcement actions.
Just hours after Marriott publicly announced the data breach, plaintiffs lawyers had already filed class action lawsuits in Oregon and Maryland. Since then, at least one dozen similar lawsuits have been filed in other jurisdictions. These complaints generally allege that Marriott was negligent by failing to 1) maintain adequate technological safeguards, and 2) adequately disclose the data breach to its customers. The damages sought are significant. For example, the Oregon complaint seeks $25 per affected customer, which is up to $12.5 billion in total damages.
Marriott’s experience reminds us all that companies experiencing a data breach should contact legal counsel as soon as possible following discovery of the breach for advice on compliance with a myriad of state and local laws. In addition to ensuring the company timely discloses the breach to the proper authorities, counsel can help the company identify and address additional regulatory or contractual obligations triggered by the breach. Upon discovery of a data breach, time becomes a precious commodity when it comes to compliance and risk mitigation.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.