Once again, consumers are faced with the news of a data breach affecting millions of Americans. This time, it was Marriott Hotels, the parent company of brands like Starwood, Westin, Sheraton, W, and the eponymous Marriott. Every breach is bad, but this one looks particularly so. Marriott has acknowledged that information belonging to up to 500 million hotel guests’ data may have been exposed.
Thus far, Marriott has issued a statement revealing that an “unauthorized party” copied and encrypted information, which included personal data such as "people’s names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood loyalty program account information, and reservation information.” In short, the crooks got away with everything they would need to defraud millions of consumers.
Especially galling, it appears that the hackers had access to Marriott’s system as far back as 2014 until the company detected the problem on September 8, 2018. This would mean that Marriott neglected to disclose the hack to the public for almost two months. Numerous lawsuits have been filed against Marriott. Plaintiffs from Oregon to Maryland have claimed that Marriott was negligent in its poor management of their customers’ personal information and consequently exposing them to identity fraud. This cyberattack has surfaced as the second worst recorded data breach behind Yahoo’s 3 billion-account hack in 2013.
As 2018 comes to an end, the rise of attacks have become more and more unsettling. For example, earlier this year Uber settled its hack and subsequent cover-up for $148 million. When the history of the Internet is written, data breaches will undoubtedly be cited as a key reason for consumers’ declining trust in companies that collect their data.
Privacy advocates have called for stronger regulation of the companies that handle massive amounts of their users’ information. Despite the growing frustration surrounding consumer privacy, Congress has failed to seriously introduce, let alone pass, a federal consumer privacy bill. With the growing attention towards cyber hacks, Congress must make passing a federal consumer privacy bill that holds companies more accountable a top priority. There should be real penalties for those who handle their users’ information irresponsibly.
This frustrating status quo may be changing, however. Senator Ron Wyden (D-OR) has drafted his own “Consumer Data Protection Act,” which is the first to propose jail time for business executives that negligently or intentionally fail to disclose cyberattacks. Although the bill contains some strong protections such as regulatory authority for the Federal Trade Commission, many believe it will not gain the necessary traction to pass both houses of Congress. Other bills, such as Intel’s privacy act discussion draft, also contains some much-needed protections. As it prepares to open a new session in January, Congress must address these massive data breaches and push for comprehensive legislation that will protect Americans.