Indeed, in its article about the Marriott breach, the quoted one observer as saying that, given the volume and sensitivity of personal data taken, as well as the length of the breach, Marriott “has the potential to trigger the first hefty GDPR fine.” The Marriott incident is also a reminder that companies remain vulnerable to massive data attacks.
As the Times said, in its article about the breach, the intrusion is “a reminder that after years of headline-grabbing attacks, the computer networks of big companies are still vulnerable.” These vulnerabilities suggest we will continue to see data breach-related litigation, including in particular data breach-related D&O litigation.
On December 1, 2018, plaintiffs’ lawyers filed a securities class action lawsuit in the Eastern District of New York against Marriott; its CEO; its CFO; and its Chief Accounting Officer and Controller.
The investigation revealed that an unauthorized party had copied and encrypted information and had taken steps toward removing the information.
On November 19, 2018, the company was able to decrypt the information and determine that the contents were from the Starwood guest database.
For some guests, the information also includes payment card information including card expiration date, however, the company was not yet able to determine if the payment card information had been decrypted.
The plaintiffs’ lawyers did not waste any time in launching lawsuits based on the company’s disclosures.
(Marriott acquired Starwood in 2016 for $13.6 billion.) In its press release, the company said that the database itself contained information on to approximately 500 million guests who had made reservations with Starwood.
For about 327 million of the guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication information.Turns out, I didn’t give the plaintiffs’ lawyers nearly enough credit for haste.The plaintiffs’ lawyers managed to file a securities class action lawsuit against the company on December 1, 2018, just one day after Marriott announced the breach.Instead, it involves allegations that the company suffered a significant reverse in its operations.In the securities lawsuit, the plaintiffs allege that the company failed to inform investors that the adverse event might occur and that if it did occur it would have a negative impact on the company.The article contains statements from several data security commentators to the effect that, though the earlier data breach was unrelated to the more recently announced hack, the investigation into the 2015 hack should have uncovered the larger guest information system breach.