Experts: Marriott's In-House Team Has Much Work Ahead
In-house counsel at Marriott should be focusing on answering questions from a series of regulators and making sure they are complying with all state laws, according to cybersecurity attorneys and experts.
December 03, 2018 at 06:46 PM
5 minute read
Photo: DoublePHOTO studio/Shutterstock.com
The question for many companies isn't a matter of if it will have a major cybersecurity incident, but when, many experts say. Marriott International Inc. learned that the hard way and last week announced that its customer database was the victim of a data breach in which someone gained access to the personal information of up to 500 million customers.
Experts say that the hotel's in-house counsel, aside from beefing up their cybersecurity, need to be prepared to litigate class action suits from aggrieved customers and shareholders and answer questions from regulators, develop a plan for continued disclosure and make sure the investigation is completed as quickly and as thoroughly as possible.
Joseph P. Facciponti, a former federal prosecutor and white-collar defense partner at Murphy & McGonigle in New York, said that the in-house team at Marriott should prepare for questions from the several regulators who will want to know about why it took so long to report.
“Why did it take Marriott and Starwood take four years to discover this intrusion? Marriott says that the breach was detected on Sept. 8 of this year, but they later learned that it had been going on since 2014,” Facciponti explained.
“I think that is going to be a big question for regulators because having a reasonable cybersecurity program means having the means to be able to detect intrusions as they happen.”
There already have been class-action lawsuits filed against the hotel chain over the breach and New York Attorney General Barbara Underwood announced last week that she would be investigating the breach and alleged delay of disclosure.
Marriott may also be facing inquiry under the E.U.'s General Data Protection Regulation (GDPR) because under the GDPR, companies have 72 hours to disclose a breach once it is discovered.
Dimitri Sirota, the CEO and cofounder of BigID, a software company that helps companies protect personal information, said that in-house counsel should be thinking about how data privacy officers in the EU will want to react to the breach.
“I would think they're exposed,” Sirota said. “It could have ramifications from the GDPR.”
Sirota said that he believes that the in-house team will be spending a significant amount of time dealing with the fallout from regulators.
Facciponti said that he is not sure if Marriott would have a cause of action against the former owners of Starwood. He said it would depend on whether there was any evidence that the former owners left something out about a known data breach during the acquisition.
In-house counsel will also need to investigate the possibility of any insider trading.
“If you go back to the Equifax breach, at least two employees have been indicted and charged civilly by the SEC for allegedly trading on material information related to the Equifax breach that they learned between the time the breach was discovered and when it was reported publicly,” Facciponti said.
The breach also serves as a reminder to turn over every stone while a company is in the due diligence process of an acquisition.
Jacey Kaps, a partner at Rumberger, Kirk & Caldwell in Miami, said that during acquisitions, he finds that during a merger and acquisition process companies tend to skip over data.
“That comes up a lot. I just reviewed documents for a client and there was nothing about data ownership. If that is an issue here it would not be a great surprise,” Kaps said.
Whether or not data ownership or cybersecurity issues came up during the purchase of Starwood in 2015 is unknown, and it is unclear if Marriott would have a cause of action against the former owners of Starwood.
“I'm not privy to whatever representations that Starwood's management made to that breach. That would be very much a question of what was told by whom during the due diligence,” Facciponti said.
In the meantime, Marriott established a website and call center for those who think they might have been affected by the data breach at (info.starwoodhotels.com). The company said it would begin to contact customers effective Nov. 30. It also said it would provide internet monitoring and other services in some countries free of charge for a year. Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels and Starwood branded timeshare properties, according to the company.
Read more:
Federal Data Privacy Legislation Is Likely Next Year, Tech Lawyers Say
NY AG Announces Probe of Marriott Data Breach and Its Failure to Report Incident
Marriott Guests, Both Lawyers, File First Class Action Over Data Breach
7 Major Players That Could Shape Federal Cybersecurity Standards
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
NBA Players Association Finds Its New GC in Warriors Front Office
Trending Stories
- 1States Accuse Trump of Thwarting Court's Funding Restoration Order
- 2Microsoft Becomes Latest Tech Company to Face Claims of Stealing Marketing Commissions From Influencers
- 3Coral Gables Attorney Busted for Stalking Lawyer
- 4Trump's DOJ Delays Releasing Jan. 6 FBI Agents List Under Consent Order
- 5Securities Report Says That 2024 Settlements Passed a Total of $5.2B
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
