Marriott International could face millions of dollars in state fines if it fails to properly protect guests’ personal information. The announcement came after the company disclosed a hacking incident that it said may have affected 500 million guests.
The attorneys general of Massachusetts, New York and Illinois quickly announced that they would investigate the hacking. Connecticut state spokesman George Jepsen says he is also looking into the matter.
Uber recently reached a $148 million settlement with attorneys general from all 50 states and the District of Columbia over a 2016 data breach, privacy lawyers said, demonstrating the regulatory clout of states.
“Marriott’s biggest domestic exposure is probably enforcement actions by state attorneys general,” said Paige Boshell, managing member and attorney at Privacy Counsel LLC. States can “act more quickly and accurately than the FTC, and coordinate effectively with each other for more comprehensive enforcement,” she said.
States may enforce privacy protection under their consumer protection ordinances, data breach notification standards, and data security obligations.
More state attorneys general are likely to join the investigation into how Marriott handled the massive breach, privacy lawyers said. Depending on the sequence of events, Marriott could face significant financial penalties and negative consumer sentiment following a government investigation, they said.
Robert Braun, cyber security partner at Jeffer Mangels Butler & Mitchell LLP in Los Angeles, said Marriott could face a “significant fine” from the New York attorney-general. Large-scale data breaches “are the kind of thing that national regulators are only too happy to pursue for political reasons”, he said.
Financial analysts said the cost of the state attorney general’s investigation could hurt Marriott’s bottom line.
Pete Trombetta, moody’s hospitality analyst, said: “The near-term impact of the breach of the Starwood Room Reservations database, which Marriott owns, includes direct costs related to the investigation and any litigation or liability marriott may face as a result of the breach.”
Marriott disclosed the breach in a Nov. 30 filing with the SECURITIES and Exchange Commission. The company said the bug touched bookings made on or before September 10, 2018.
Marriott said in the filing that it discovered the breach on Nov. 19 and learned during an internal investigation that starwood’s network had been accessed without authorization since 2014.
About 327 million of its 500 million guests may have had their passport numbers, emails and other personal data stolen, Starwood said. Credit and payment card data may also have been stolen.
A spokeswoman for Barbara Underwood, New York’s attorney general, suggested that she was not satisfied with Marriott’s response. That could mean Marriott won’t emerge unscathed from the New York investigation, privacy lawyers said.
Amy Spitalnick, director of communications for Underwood’s office, wrote on Twitter on Nov. 30 that “Under New York law, Marriott is required to provide notification to our office when violations are discovered; They haven’t done that so far,”
Illinois Attorney General Maura Healey confirmed in an emailed statement that the state was investigating marriott for violations. “Potentially millions of people’s information was leaked, and the public deserves to know how this happened.”