Tannenbaum Helpern Syracuse & Hirschtritt, LLP
About Us Careers Contact Us Search
Home Practice Areas Industries Case Results Attorneys Publications Events Press Room

Turndown Service with that Hack: Marriott Hotels Announce Massive Data Breach

Click here to download PDF

Marriott International, Inc., the world’s biggest hotel conglomerate by number of properties it owns, is the latest company to fall short in securing consumer privacy.[1]

On November 30, 2018, Marriott revealed that its Starwood hotels, which include the W Hotels, Le Meridien, St. Regis, and Sheraton brands, has been the subject of a cyberattack over the past four years in a breach that has affected the personal information of some 500 million guests.[2] According to Marriott, an as yet unidentified hacker penetrated the Starwood guest reservation system, copied guest information, and encrypted the copies, in an attempt to mask the breach from detection. The unauthorized access continued until September 2018, when Marriott’s security system finally identified the unauthorized access.[3] At this stage, Marriott has not identified the extent of the data copied that has been made or disclosed to third parties by the hacker.

The scope of the information exposed by the breach is distressing. For an unlucky 327 million guests, the data compromised includes, among other information, a combination of passport numbers, email addresses, mailing addresses, phone numbers, dates of birth and gender.[4] Further, Marriott is currently unable to confirm how many credit card or other payment card numbers have been duplicated, nor whether the hacker has obtained the decryption keys for the encryption used by Marriott to secure guest payment card numbers and expiration dates.[5]

Marriott has begun sending email notifications to affected individuals and established a call center to answer questions regarding the incident.[6] For US and Canadian customers the number is number 877-273-9481. Law enforcement officials and regulators in the UK and US have been alerted and investigations are underway.[7]

Those who have been affected should take advantage of the free one-year enrollment in WebWatcher, a fraud-monitoring service that is currently being offered by Marriott. Those who have been contacted by Marriott, as well as those who have not yet been contacted by Marriott, but have stayed in a Starwood hotel in between 2014 and September 2018, can take protective actions, such as changing account passwords or implementing two-factor authentication, monitoring bank and financial accounts and credit card statements, and remaining vigilant when it comes to opening email attachments.[8]

The Marriott breach serves as a useful reminder for all businesses to review their own security practices. Among the steps to consider are:

  • Keep your firm’s system as secure as practicable. It is not possible to keep your system 100% secure, regardless of how much money you spend on cybersecurity. However, you can reduce your risk by having the latest antivirus, firewall, web browser and operating systems, and applying all patches and updates provided by software publishers.
  • Prepare and maintain a written information security program. An effective written information security program will describe the measures that your firm is taking to protect the security and confidentiality of personal and other sensitive information that it collects and maintains. This program should be updated as necessary.
  • Establish a records retention policy. Your firm should establish a records retention policy, which includes a requirement to destroy documents containing sensitive information that you no longer need, so long as you are not required to retain those documents under applicable laws.
  • Prepare an effective incident response plan, and test it. If you have not done so already, your firm should have a data breach incident response plan in place, and that plan should be tested and updated regularly. Among other things, an effective incident response plan will specify which individuals will be contacted if a potential breach occurs, and will specify the steps to follow in responding to the breach.
  • Back up your critical data regularly. Reduce the likelihood of losing your firm’s data in a “ransomware” attack or other disaster by maintaining regular backups of critical systems and data.
  • Train your employees. A company’s own employees are a primary source of data security risk. Your firm’s employees should be trained on basic cybersecurity hygiene, and training sessions should be scheduled regularly. New kinds of threats are constantly emerging, and best practices are evolving. Your employees should continuously be up to date on what to do and what not to do.
  • Limit access to sensitive information within your firm. Ensure that access to legally-protected and other sensitive information is limited only to those employees of yours that actually need such access. Not everyone in your firm needs to have access to the firm’s most sensitive information.
  • Maintain physical security. Many firms focus intently on cybersecurity, as they should. However, physical security is also extremely important. Your firm should restrict access to its physical space to make it more difficult for intruders to gain access. In addition, paper documents containing legally-protected and other sensitive information should be kept in a locked cabinet or locked desk drawer.
  • Consider obtaining cyber insurance. Cyber insurance coverage will protect your firm against certain losses that may occur in a data breach. Your insurance broker should be able to assist your firm in obtaining appropriate cyber coverage, and your legal counsel can help you understand the scope of that coverage.

If you have any questions on the issues addressed in this article, please contact any member of our Cybersecurity and Data Privacy practice or your regular contact at Tannenbaum Helpern.

David R. Lallouz



Andre R. Jaglom



Beth Smigel



Michael J. Riela



Maryann C. Stallone



Vincent J. Syracuse



About Tannenbaum Helpern Syracuse & Hirschtritt LLP

Since 1978, Tannenbaum Helpern Syracuse & Hirschtritt LLP has combined a powerful mix of insight, creativity, industry knowledge, senior talent and transaction proficiency to successfully guide clients through periods of challenge and opportunity. Our mission is to deliver the highest quality legal services in a practical and efficient manner, bringing to bear the judgment, common sense and expertise of well trained, business minded lawyers. Through our commitment to service and successful results, Tannenbaum Helpern continues to earn the loyalty of our clients and a reputation for excellence. For more information, visit www.thsh.com. Follow us on LinkedIn and Twitter: @THSHLAW.

[1] https://www.bbc.com/news/technology-46401890

[2] https://answers.kroll.com/

[3] Id.


[5] https://answers.kroll.com/

[6] https://answers.kroll.com/

[7] http://time.com/5467773/marriott-data-breach/

[8] https://www.cnn.com/2018/11/30/tech/marriott-breach-what-to-do/index.html

Business Litigation Bulletin
Employment Notes
Note from the Real Estate Group
THSH E-Alert
Other Publications
Inclement Weather Policy
Other Publications Archive
President Obama Seeks to Broaden Overtime Protections for Employees
Privacy regulation in the United States
The Broad Scope of Franchise Laws: Traps for the Distribution Contract Drafter
Managing Distribution: How to Develop a Corporate Legal Compliance Program
Internet Distribution, E-Commerce and Other Computer Related Issues
Distribution Contracts
What Impact Will FATCA Have on Offshore Hedge Funds and How Should Such Funds Prepare for FATCA Compliance?
The American Taxpayer Relief Act of 2012: What It Means to You
Privilege and the In-House Counsel: Protecting Your Communications Through Proper Registration and Careful Understanding
Are your digital communications protected by attorney-client privilege and what if privileged information is disclosed?
THSH Private Equity Roundtable Summary
Post Grant Review Under the America Invents Act
Bench-Bar Conversation with Justice Carolyn E. Demarest
Proposed Changes Set to Alter Estate and Gift Tax Structure in New York: Time to Make a Gift?
New York City Paid Sick Leave – What Staffing Firms Need to Know
New York State Estate and Gift Tax: The Hidden Costs of Tax Reform
Assessing Never-Examined SEC-Registered Investment Advisers: An SEC NEP Priority
Changes to NY Minimum Wage
NLRB Strikes Again
Bench-Bar Conversations with Justice Elizabeth Emerson
Attorney Professionalism Forum: What should an attorney do when the client wants to present false information and what happens
Reducing the risk of violating competition law
NY Rings in 2015 with a Minimum Wage Increase
Distribution & Agency 2015 - Q&A on the distribution of goods and services in 17 jurisdictions worldwide
Fair Chance Act
Sales Taxes on Construction Projects
Forget Big Brother, What Happens When it’s Opposing Counsel is Doing the Recording?
E-Discovery Identification & Preservation Guide For Lawyers (Version 2.0)
On the Horizon: What to do before selling your staffing business
Striking the Right Encryption Balance after FBI, Apple Fracas
Delaware Court Reiterates Need for Unambiguous Non-Reliance Provisions in M&A Agreements
Finalizing a Divorce? Wait, Just One More Thing …
IRS Proposed Changes to IRC 2704 Affect Business Succession and Estate Planning Valuation Discounts
Trump and the Estate Tax: What We Know
Actual-Intent Fraudulent Transfers and the Crime/Fraud Exception
Proposed NYS DFS Cybersecurity Regulations to Significantly Impact FS Companies
New Guidance for Human Resource Professionals to Avoid Antitrust Violations
Merger and Scènes à Faire: Two Defenses to Substantial Similarity in Copyright Litigation
What’s New in the Revised New York State Proposed Cybersecurity Regulation?
The Law of Insider Trading: A Primer For Investment Managers
Recent Cyber Attack On Law Firms Serves As A Wake-Up Call For Professional Services Firms
The Ambac Decision and the Future of the Common Interest Privilege Under the New York Law
Overview of Data Privacy and Cybersecurity Regulatory Landscape for Investment Advisers and Other Financial Services Companies
Global Ransomware Attack: Basic Security Measures Every Business Should Adopt
Distribution & Agency 2017- Q&A on the distribution of goods and services in 17 jurisdictions worldwide
New Copyright of Resource: Copyright Protection
Attorney Professionalism Forum: Using Per Diem Attorneys Plus An Addendum To The June Forum On Cybersecurity Ethics
Congressional Republicans Propose Sweeping Tax Reform
Attorney Professionalism Forum: Attorney-Client Confidentiality vs. the Customs Agent: Who Wins?
Attorney Professionalism Forum: Confidentiality Issues When Clients Don’t Tell The Truth
Rules for Equity Crowdfunding Effective May 16, 2016
Estate Planning Under Comprehensive Tax Reform
Attorney Professionalism Forum: Attorney Websites, Branding and Using Social Media
Attorney Professionalism Forum: Attorney Advertising And Self Promotion
NY Appellate Court Shifts Balance of Power in Commercial Real Estate Leases: Upholds Yellowstone Injunction Waiver
Recent Developments in Neighbor Litigation
Attorney Professionalism Forum: Communicating With Clients With Diminished Capacity
Attorney Professionalism Forum: Litigation Financing
Groundbreaking bipartisan Congressional Legislation could pave the way to fully legalized Marijuana
Conditions Precedents in Construction Contracts
Distribution & Agency 2018 - Q&A on the distribution of goods and services in 18 jurisdictions worldwide
Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted
Attorney Professionalism Forum: Litigation Financing Confidentiality and Marijuana Ethics For Lawyers
U.S. Markets See First Cannabis IPO
NYS Department of Financial Services Issues Guidance to Banks on Servicing the Marijuana Industry
THSH Cyber Alert: GoDaddy the latest to leave S3 Bucket Unsecured
Legalized Adult-Use Marijuana Coming to New York?
NYS and NYC Sexual Harassment Prevention Laws
Are Your Website and Privacy Policy GDPR Compliant?
Attorney Professionalism Forum: Ethics and Best Practices For Law School Clinics
Beware of the AIA Form of Performance Bond
Attorney Professionalism Forum: Referral Fees and Using a Client as an Expert
Anecdotes from World’s Largest B2B Cannabis Conference
Attorney Professionalism Forum: Restrictive Covenants In Agreements Employing Lawyers
Turndown Service with that Hack: Marriott Hotels Announce Massive Data Breach
Attorney Professionalism Forum: Handling Confidential Client Information
Groundbreaking 2018 Farm Bill Portends Huge Changes to U.S. Cannabis and Hemp Industries
Attorney Professionalism Forum: The Challenges of Litigating Against Pro Se Parties
Articles By Topic
Cyber & Privacy Alert
New York Law Journal
Attorney Professionalism Forum
Join Our Mailing List
Like us on FaceBook Follow us on Twitter Get LinkedIn with us Pin It! Email Us Print this Page

Sitemap |Terms of Use | Privacy | Attorney Advertising

Tannenbaum Helpern Syracuse & Hirschtritt LLP provides legal advice only to individuals or entities with which it has established an attorney-client relationship and such advice is based on the particular facts and circumstances of each matter. Contacting us through this site, or otherwise, will not establish an attorney-client relationship with us. Any e-mail or other communication sent to THSH or its lawyers through this site will not be treated as subject to the attorney-client privilege or as otherwise confidential and you should not include any confidential information in any such communication.