Some Thoughts Regarding the Marriott Data Breach
By Patrick Gaul, Executive Director, National Technology Security Coalition
Watching the news surrounding the Marriott data breach unfold over the past week, I am not surprised by the reactions from various industry experts and federal and state government lawmakers. As usual, we hear the same calls for stricter privacy legislation and tougher penalties for breached companies. One senator even called for executives in these companies to be “locked up,” as if punishing corporate executives will stop cyber criminals or address the root cause of data breaches.
Right now, we do not know all the facts about the Marriott data breach. It will take some time to uncover exactly what happened, and how. This is true of all data breaches, no matter the immediate public outrage. Certainly, we’ve learned that some data breaches do involve negligence or poor security best practices. But a few factors—hidden in the background—seem to linger and never get resolved every time a significant data breach occurs:
- Most security compliance activities do not help prevent data breaches. Compliance requires heavy investments toward requirements that don’t necessarily protect consumers. Most compliance requirements across federal and state laws and regulations do not help directly compensate impacted consumers or improve the cybersecurity posture of a company. A confusing set of laws and regulations conflict with each other and add bureaucracy to companies while neglecting to set a clear national security standard. For example, a well known cyber lawyer in Atlanta pointed out to me that the Starwood system was apparently compromised prior to its acquisition by Marriott Corporation. Despite all of our laws and regulations, he rightfully wondered why that fact did not come to light during the due diligence process.
- Speed-to-market and consumer convenience is often incentivized more than security. We may pay lip service to security after a data breach and pretend we are concerned. But companies often pay most attention to profit and increasing shareholder value. Consumers demand products and desire convenience that requires companies to move fast. Security teams are often beholden to a vast ecosystem of business stakeholders, shareholders, and customers who consider security as a lesser priority.
- We like to punish companies for a crime they did not commit. We are so used to blaming companies for data breaches that we often forget a simple fact—these companies are victims of a crime. Sure, if a burglar steals from an unlocked home, it’s easy to cast some blame at the homeowner. But we seem to forget the burglar is the primary problem. Marriott, despite its security posture, was still the victim of a crime.
Unfortunately, these factors punish the consumer most. Consumers experience different data breach notification laws from state to state. Regulations vary wildly by industry. Consumers want the convenience of not entering a credit card number every time they purchase something from Amazon or iTunes, or the convenience of walking into a rental car parking lot and driving away with the car of their choice because that rental agency has everything they need in their file. But consumers aren’t primed to understand—as with the GDPR in the EU—how companies use their information. And punishing companies helps the consumer too little, too late, without examining smarter ways to strengthen the security posture of companies.
The Marriott breach, along with the recent Dunkin’ Donuts and Quora breaches, all continue to serve as reminders of the need for federal legislation governing both privacy and data breach notification. Legislation such as the Consumer Information Notification Requirement Act, sponsored by Rep. Blaine Luetkemeyer (Mo.), is helpful as a financial sector data breach notification bill with the aim of codifying federal notification guidelines for all financial institutions. But we need something that encompasses all industries because not all consumers are equally protected by state legislation governing these data breaches.
While data breach notification legislation exists in all 50 states plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, there are notable differences among these laws in the level of consumer protection and rights. These differences will not go away when states begin to pass privacy legislation in the wake of the California Consumer Privacy Act—possibly leading to another flurry of state laws that conflict with each other, add bureaucracy to companies, and fail to effectively protect consumers.
Congress seems conflicted about what approach to take. Senator Mark Warner (D-VA), the co-founder of the Senate Cybersecurity Caucus, commented that the country needs laws that will enforce limits on the data companies can collect about and from consumers—but consumer convenience makes constituents largely apathetic. A punishment mentality remains popular with proposed bills during the past year from Senator Elizabeth Warren (D-MA), Senator Warner, and recent language from Sen. Ron Wyden (D-OR). Many GOP representatives are afraid to preempt state data breach laws in fear of making data breach notification a states’ rights issue. The idea of a national data breach notification law has been floated around for years but killed for various reasons ranging from an inability to craft a bipartisan law to powerful industry groups (such as retail) that cannot seem to agree on the importance of crafting a single standard. All these conflicting messages have added up to Congressional inaction.
However, inaction seems less and less of a plausible strategy given recent developments. If a major company hasn’t experienced a data breach yet, it now seems a matter of when—not if. The number and breadth of data breaches over the past few years has led to more consumer awareness about data security and privacy. A big wakeup call turned out to be something incredibly personal to consumers—Facebook. The Facebook–Cambridge Analytica data scandal and a July 2017 data breach revealed to the public in September both made consumers viscerally aware of their data in ways that EU citizens have contemplated for decades. As US public sentiment shifts and awareness increases, we’re seeing actions such as the California Consumer Privacy Act and even the White House discussing data privacy with a seriousness unheard of just a few years ago.
If we continue on a path of a patchwork of state laws, a punishment mentality, and a reactive strategy to data breaches that never solves the root causes, then we are not on the right path. The NTSC endorses reasonable data collection, especially if that data is collected without the consumer’s knowledge. But we also believe that creating security standards based on the size of a company and the type of data held is also critically important to ensure the protection of consumer data.
Is that an easy task? Absolutely not. It requires bipartisan and industry-agnostic discussion that eventually leads to a law that helps businesses, consumers, and national security—while reducing bureaucracy, unnecessary compliance requirements, and a fixation on punishing companies. The NTSC supports federal legislation that gives businesses one place to file, ensures a standard of security for consumer data based on company size and data held, and supports appropriate civil penalties in cases of gross negligence.
As I noted in an op-ed published in The Hill last year, it is time for Congress to pass national data breach notification legislation and, at the same time, create federal privacy legislation that establishes equal protection for all consumers across the country. Otherwise, the Marriott data breach will serve as another example of short-term public outrage with nothing changing in the long-term.