Day by day, we gloss over the latest breach news without connecting the event with our own company. Data breach cases are daily events in the media, so even a well-read businessperson can be lulled into ‘data breach fatigue.’
While the reputational damage of a data breach incident is easy to see and feel, financial liability is harder to quantify from a distance. Cautionary tales abound, and here’s a prime example.
In November 2018, Marriott announced that it had been the target of a massive data breach.
Hackers gained access to Marriott and Starwood’s guest information database. Over the prior four years, hackers allegedly stole contact information and even passport numbers from guests in the database.
Shortly after the breach was announced, consumers who provided their personal information to Marriott during that timeline filed a class action against the hotel chain under theories of tort, contract, and breach of statutory duties.
The Plaintiffs claimed Marriott failed to “take reasonable steps to protect their personal information against the foreseeable risk of a cyber-attack.”
Let me take a moment to highlight the legal theory’s basic premise. It’s important I make it make clear to you: all companies have a level of duty to take reasonable steps to protect the data that they collect, hold, and/or transmit.
The multidistrict litigation (MDL) continues gaining steam, and the legal tactics Marriott raised to block the class action lawsuits are failing.
Recently, Maryland Federal Court held that the Plaintiffs in Marriott Data Breach MDL have standing to sue, and the court denied Marriott’s motion to dismiss claims. Further, the court refused to dismiss remaining claims, including negligence under Florida and Georgia law, breach of contract claims, and statutory claims.
Legal fees have been monumental, and the financial ramifications of this suit are still taking shape. In addition to the lawsuits, The U.K. Information Commissioner’s Office proposed a $124 million fine in response to the Marriott – Starwood breach.
The bottom line: had Marriott invested in data risk management before the breach, they could have saved themselves a fortune AND protected their good name and reputation.
If ever there was an apt time to invoke the adage, this is the occasion.
“An ounce of prevention is worth a pound of cure.”
Protect your Company; understand the appropriate level of responsibility that is reasonably required of a similarly situated organization in your industry, and begin to take these steps if you haven’t begun doing so already.
Should you have any interest in discussing the matter further, I invite you to talk with one of our Advisory Team Members.
Photo by Bernard Gagnon