Marriott data breach puts lawmakers in a regulatory mood
2018 has been the year of the data breach, from tech giants like Facebook and Google to industry players like Adidas and Panera have all made headlines. Overall, there’s been a marked increase in data breaches (72 percent) from the first half of the year over the first half of 2017.
This time, it’s one of the largest hotel chains in the world, Marriott. Personal information on as many as 500 million guests may have been compromised by hackers who accessed the Starwood reservation system, which was acquired by Marriott in a merger with Starwood Hotels & Resorts Worldwide in 2016.
With so many data breaches occurring, you may be wondering about the ramifications of all these data breaches and what they mean for your company. Here’s what we see happening.
Lawmakers get active
The Marriott data breach compelled at least two lawmakers to remark that stiff fines and jail time for executives might be warranted. One of them, Senator Ron Wyden, drafted legislation that would impose fines of up to $5 million on executives of companies with annual revenue of $1 billion or greater. Executives who intentionally mislead the Federal Trade Commission (FTC) could also face up to 20 years in prison.
Before we go there, it should be noted that there are many data privacy regulations on the books already, including the General Data Protection Regulation (GDPR) and Australia’s Privacy Act 1988. In the US, The California Consumer Privacy Act of 2018 takes effect January 1, 2020. You can expect more states to enact privacy laws as the importance of data protection seeps into the public consciousness and more lawmakers express outrage with each subsequent data breach.
Help prevent breaches
If your organization is concerned about being a victim of a data breach, consider how you manage, communicate and collaborate on risks, threats and vulnerabilities. Review your processes and identify areas where processes are breaking down or are ineffective.
A great example of this involves the risk management process. Frequently, companies are overwhelmed by scanner data and unable to distinguish between a harmless risk and a serious threat. Another example of a process breaking down is communication with stakeholders. Security professionals don’t want to be alarmists, nor viewed as rearranging deck chairs on the Titanic.
Win with integration
From a company perspective, data protection isn’t solely an IT security issue. Compliance with new privacy laws and managing cyber risk will require new policies and processes that demand cross-departmental collaboration. Using a technology platform that can bring together cybersecurity, data privacy, compliance, audit and more and can integrate risk management processes, putting everyone on the same page. A platform that consumes and correlates data and then interlinks policies to controls makes it easier to prove compliance and manage risk.
As Lockpath’s Sam Abadir recently wrote in an article for Information Security magazine, “the linkages provide a defensible record, essential to withstanding public scrutiny and investigations. Policies managed through integrated risk management solutions can be created and updated efficiently in response to business or regulatory changes.”
The Marriott data breach is one of the latest, but it certainly won’t be the last. It’s a stark reminder to business that cybersecurity is a bigger issue than IT security. It’s also about compliance with privacy laws and managing incidents, threats, vulnerabilities and risk.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.