By: Andrew Lipton
On November 30, 2018 Marriott International announced that hackers gained “unauthorized access” to the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. According to company officials, the hackers “copied and encrypted [guests’] information, and took steps toward removing it” beginning in 2014. This information included names, phone numbers, email addresses, passport numbers, dates of birth and guest’s travel itinerary information. Marriott allegedly discovered the data breach last week.
Preliminarily, this data breach could be along the same magnitude as the Yahoo data breach in 2016, and the Equifax data breach in 2017. If so, this breach would raise multiple liability and exposure issues, including (1) General Data Protection Regulation (GDPR) compliance; (2) potential shareholder class actions; and (3) increased scrutiny from the Federal Trade Commission (FTC) and the Securities and Exchange Commission’s Division of Enforcement (SEC) regarding public company cybersecurity practices. Specifically, these issues include:
GDPR
- The Marriott data breach is arguably the first large-scale data breach affecting hundreds of millions of customers that could fall within the purview of the European Union (E.U.) GDPR. The GDPR applies to all organizations holding and processing E.U. resident’s personal data, meaning that the GDPR likely applies to Marriott International (however, it is unclear whether the personal data of E.U. citizens was specifically breached here).
- Under the GDPR, “[i]n the case of a personal data breach, the controller shall without undue delay, and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.” Marriott’s announcement that the breach was discovered last week may call into question whether or not Marriot violated the 72-hour breach notification requirement.
- Penalties for non-compliance with GDPR requirements are 4% of worldwide revenues. Considering Marriott’s multi-billion dollar worldwide revenues, a potential penalty for non-compliance (in the event that E.U. citizens’ data was affected here) would be substantial.
Potential Shareholder Class Action Exposure
- Based on experiences with Yahoo, Equifax, and others, potential shareholder plaintiffs will immediately look to all public statements made by Marriott directors and/or officers over a certain period regarding Marriott’s cybersecurity and data protection programs. News outlets reported as of the morning of November 30, 2018 that Marriott’s stock price already dropped roughly 6%. Get ready. With a market capitalization value of $39.5 billion, shareholder’s plaintiffs will attempt to argue that Marriott directors and/or officers issued false and/or misleading statements to the market, and that the data breach revelation is a “corrective disclosure” with respect to the true adequacy of Marriott’s cybersecurity and data privacy practices.
- Whether or not securities class action settlements based on data breaches are a significant threat remains to be seen in light of the few cases we have to look to as examples. However, the immediate concern here, especially for D&O insurers, is the likely costs of defending multiple securities class action lawsuits, as well as shareholder derivative lawsuits. Costs for defending these types of actions, whether based on a cybersecurity incident or not, can implicate tens of millions in D&O insurance dollars.
Increased Scrutiny from the SEC & FTC [1]
- Just last month, the SEC issued a report warning that failure to implement adequate cybersecurity controls to address the risk of business email compromises may violate Sections 13(b)(2)(B) of the Securities Exchange Act of 1934. This report came on the heels of a more broadly worded guidance by the SEC issued on February 21, 2018 regarding cyber risk disclosure by public companies. What these developments portend is an overall increase in scrutiny by the SEC with respect to cybersecurity practices that will lead to more investigations, more subpoenas, and potentially more fines for public companies.
- The FTC also expects companies to undertake “adequate” cybersecurity measures to protect the data companies collect. The FTC has taken a lead in scrutinizing companies’ privacy practices on the basis that poor cybersecurity is an unfair business practice, most notably in its lawsuit against Wyndham Hotels in 2014. Indeed, the FTC filed more than 50 general privacy lawsuits in 2017. As such, there is reason to suspect that the FTC will take similar investigative steps here with Marriott.
- In this instance, Marriott may come in the SEC’s crosshairs with respect to their cybersecurity and data protection practices depending on the circumstances. Much like the discussion above with respect to shareholder class action exposure, the immediate concern here is costs. The costs of responding to investigative subpoenas and requests for testimony by the SEC climb quickly into the tens of millions of dollars – some of which may be covered by D&O insurance, some of which may not. Regardless of the outcome of any investigation, insurers should be wary of these potential costs in the event of a likely SEC investigation in to Marriott’s cybersecurity and data protection practices.
Practitioners in the cyber law and data protection field are constantly studying the immediate liability and exposure impacts of large-scale data breaches. Our experiences with other breaches, such as Yahoo and Equifax, guide us here with one clear exception: the GDPR. It will be interesting to see how the GDPR may potentially operate to increase the total exposure of Marriott to legal costs and potential fines, on top of potential third party liability and U.S. government scrutiny.
[1] We note that the New York Attorney General’s Office has already commenced an investigation into the Marriott data breach. Exposure from state attorneys general offices and similar state enforcement agencies will also be a significant exposure threat here.