skip to main content

Preparing, Adapting and Responding to Cyber Incidents: Marriott International Case Study

March 7, 2019

Spencer Pollock, Esq., Niles, Barton & Wilmer, LLP and Roger Hockenberry, CEO of Cognitio Corporation

View Full Article

Cybersecurity is an issue that every company, of every size, must address as part of standard risk identification. The perception that the size of your company will protect you from a potential cyber attack is no longer realistic. In this case study, Spencer S. Pollock, Esq., CIPP/US, and Roger Hockenberry, CEO, Cognitio Corporation, discuss a recent data breach and lessons that may be learned for a company of any size operating anywhere in the world.

Recently, Marriott International’s reservation database was hacked and during the breach personally identifiable information (“PII”) from approximately 500 million people was stolen.[1] Marriott generates nearly $22 billion in revenue, and spends large sums on cyber defense and could not stop the breach from happening.[2] Due to the breach, Marriott is now facing a multi-million-dollar class action lawsuit where the Plaintiffs allege that Marriott failed to identify and notify the individuals affected by the breach that began in 2014.[3] What does the Marriott data breach demonstrate? That no matter the size of your company, or how much you spend on information systems security, a cyber incident may eventually occur.

While your company might not be as large as Marriott, hackers are equal opportunity criminals who do not discriminate by the size or revenue of a company. In fact, 58% of data breaches in the last year occurred within small to midsized companies.[4] If you are the owner or chief executive officer of a small to midsized business, consider the PII your company collects, analyzes, and stores from customers, vendors and partners. Now consider the reputational, financial, and legal effects of this information being stolen. The average cost of a breach for a small to mid-sized business is $149,000.00.[5] After a breach, six out of ten small to mid-sized companies go out of business.[6] Finally, consider the legal ramifications of a myriad of data protection and privacy laws affecting your company. Despite these statistics, there are steps you can take to mitigate the potential effects of a breach. Specifically, your company needs to follow this process: prepare, adapt, and respond.

PREPARE

The most time consuming and the labor-intensive step is ensuring your leadership takes the appropriate actions to prepare your company to tackle the variety of data protection and privacy threats. Every company should develop a strong data strategy that looks at how data is utilized, exits and enters, is protected and eventually distributed to various users of that data. Most companies fail to realize that data is now currency, and identifying risk is essential to the long-term health and viability of your business.

First, examine what PII, or other sensitive data your business collects, analyzes, and stores, and why. Decide if it is necessary to continue collecting PII and if it is, ensure you do not collect more information than is needed. Second, determine how your company protects PII and implement simple and affordable measures to better safeguard this information:

  • Educate and train your employees on data security best practices;
  • Ensure physical documents containing PII are in secure locations;
  • Keep your servers in a location that is locked;
  • Don’t save information on your hard drive. Use a cloud-based service (i.e., Dropbox, iCloud, Google, etc.) and ensure that appropriate encryption and protection is utilized;
  • Enable a two-factor authentication when an employee accesses their workstation;
  • Have a policy that requires employees to change their password periodically; and
  • Limit the ability to obtain the information to essential personnel only. 

Third, identify which laws, regulations, and statutes control and dictate compliance for your company. Every state has data protection and privacy laws. There are specific laws in place governing specific kinds of personally identifiable information (i.e., HIPAA, GLBA, COPPA, TCPA, etc.). While compliance is not equal to security in the cyber world, maintaining consistency with guidelines is now table stakes to basic security in the enterprise.

Fourth, have your IT department or an external cybersecurity expert firm perform tests on your systems to determine and address any potential vulnerabilities.

Finally, create an incident response plan. Run table-top exercises against established scenarios so that you can quickly identify parties and leadership needed to analyze, triage, remediate and communicate about the issues, and the steps being taken to resolve the breach. Poor communication is typically the issue that leads to lawsuits and can lead to serious reputational damage.

ADAPT

After implementing the preparations, companies need to continue to adapt and evolve. Keep educating and training your employees periodically about data protection. Continue testing, monitoring, and assessing your system's vulnerabilities. Run a privacy impact assessment if you decide to change how you are collecting, using, and storing data. Keep your clients and employees appraised of any changes to your privacy policy and the effect it will have on their PII or other sensitive data.

RESPOND

Lastly, if there is a breach, the most important action is a proactive, decisive, and effective response. Do not ignore the problem. Confront the breach head-on to avoid exacerbating the consequences.

There is no mechanism to stop a sophisticated and determined hacker from gaining access to your databases. Marriott International is a recent multinational example. However, implementing measures to prepare for a breach, adapting and remaining vigilant to cybersecurity attacks, and responding to an intrusion proactively provides your company guidelines to best protect against these types of threats.

For more information regarding data privacy and protection laws, contact:

       Spencer P. Pollock, Esq., CIPP/US is an attorney at Niles, Barton & Wilmer, LLP, concentrating his practice in data security and privacy law, civil litigation, and insurance law. He is a Certified Information Privacy Professional (CIPP/US) who counsels and represents companies in navigating international, federal, and state privacy and data governance laws.

For more information regarding cybersecurity policies and best practices, contact:

       Roger Hockenberry is the CEO of Cognitio Corporation, a consulting and engineering firm specializing in cybersecurity and data strategy. Prior to founding Cognitio, Mr. Hockenberry was the Chief Technology Officer of the Directorate of Operations for the Central Intelligence Agency. His work in this role included creating cloud strategy, driving innovation through the enterprise, and creating unique mission solutions. Prior to the CIA, Mr. Hockenberry was a Managing Partner at Gartner, and worked at Sun Microsystems and Netscape Communications.

References: 

[1] https://www.consumer.ftc.gov/blog/2018/12/marriott-data-breach
[2] https://www.statista.com/statistics/266279/revenue-of-the-marriott-international-inc-hotel-chain/
[3] See the Complaint filed in Vickie Vetter, et al. v. Marriott International, Inc.
[4] 2018 Verizon Data Breach Report
[5] On the Money: Growing IT Security Budgets to Protect Digital Transformation Initiatives”
KaperskyLab
[6] 2017 State of Cybersecurity among small business in North America, Better Business Bureau