Global hospitality firm Marriott International Inc. recently announced it suffered a data security breach in which an unauthorized party copied and encrypted the contact, credit card, passport and travel information for as many as 500 million Starwood property guests over four years.
The hotel chain discovered the incident on November 19 and has been sending out notification emails to affected guests since November 30, when the breach was revealed.
On December 11, the Canadian Press reported that a number of Canadians who stayed at Marriott and subsidiary Starwood Canada ULC hotels are taking legal action against the companies following the breach. At least three proposed class actions have been launched in Toronto and Montreal, in which the plaintiffs are accusing Marriott and Starwood of negligence because they were “reckless” with and failed to safeguard personal information.
“It’s deeply concerning that Marriott appears to have failed in implementing or maintaining reasonable security measures to protect the integrity of its guests’ personal information,” said Sajjad Nematollahi, a lawyer at Siskinds LLP, in an email to The Canadian Press. “The businesses’ failure to protect the individuals’ personal information come at grave costs and result in significant risks to ordinary citizens, for which we believe the wrongdoers must be held accountable.”
Brooke Hunter, president and CEO at HUNTERS International Insurance, commented: “The class action brought by customers against Marriott and Starwood Canada ULC is what the liability insuring agreement of cyber insurance is meant to address. Word on the street is that together the corporations carried $400 million in global cyber insurance, so they look on the face of it like a pretty sophisticated client. But security is only as good as the weakest link, as is the case with cybersecurity. Allegedly, this issue goes back as far as 2014 within Starwood.”
The Wall Street Journal has described Starwood as “the more free-wheeling company in terms of hotel design, marketing and culture,” whereas it suggests Marriott “has a reputation for a more conservative approach and a focus on operations.” Commenting on those descriptions, Hunter said Starwood’s kind of culture “may not be cybersecurity-minded” but Marriott’s “sounds to me like a culture that would respect risk management on all sorts of fronts including cyber.”
According to Hunter, this breach highlights “the convergence of M&A risk and cyber risk,” and how company culture “plays such a huge role in both cases.” When it comes to due diligence in an M&A deal, it’s vitally important for acquisitive boards to ask the right questions about cybersecurity and culture, he said.
“Is the pursuit of the mammoth transaction so paramount that these risk issues are lost in the process?” he asked. “And does M&A indigestion prevent clarity in the risk context? Somehow, a number of people from both camps couldn’t see their way to full disclosure for some time. How the cyber insurance reacts as the timing facts in this case become perfectly clear remains to be seen.”
David Clark, senior claims counsel at Travelers Canada, described the Marriott and Starwood case as “one of the ‘big’ data breaches that people will talk about for years to come.” Like Hunter, he pointed to the risks involved in M&A transactions.
“It demonstrates the risks inherent whenever one company acquires another. Marriott purchased the Starwood Group in 2016. News releases from Marriott advise that the unauthorized access in the Starwood computer network dated back to 2014. So, Marriott effectively bought this problem when it purchased the Starwood Group. This highlights cybersecurity as an important area to be examined in any corporate merger or acquisition,” Clark told Insurance Business.
“Another issue this case shows is that data breaches can go on for months – or in this case years – before anyone identifies the problem. Long lag times between breach and discovery are not uncommon. And what that often means is that the initial problem, which seems small and manageable, can very quickly grow to be a much, much larger concern. That needs to be kept in mind as the response to any data incident starts.
“Brokers can use this case as a lesson for clients, both large and small. The lessons apply whether the client is Bay Street or Main Street. Have you acquired a business or a competitor? Did you just unknowingly buy a problem? And, if a large sophisticated organization can fail for years to detect an unauthorized intruder, can it happen to you?”
Cyber insurance has been cited by global law firm Clyde and Co as one of the top emerging risks faced by directors and officers in companies around the world today. Those in top managerial positions can be held liable if a company’s confidential information is disclosed during unauthorized access by an outside third party.
“Cyber risk is definitely a growing risk for D&Os,” Clark added. “We will have to wait and see what happens in the Marriott case, but even medium-sized large data breaches typically bring consumer class actions, and the larger ones can spawn shareholder litigation. Corporate boards need to take steps to effectively reduce exposure from these cyber risks.”