BOOK AN APPOINTMENT WITH AN IT SPECIALIST TODAY

What Are Your Company’s Responsibilities Following a Data Breach?

Learn from Marriott’s Example: Notification Responsibilities After a Data Breach

Most states, the District of Columbia, the Virgin Islands and Puerto Rico have passed legislation regarding notification of security breaches. Know the laws in your state.  

Cyberbreach Marriott

To answer this question, let’s start with the example experienced by Marriot International recently when a breach exposed the social security numbers of the hotel chain’s associates. Then, we’ll look at the federal and state requirements for notifying those impacted by a breach that involved their data.

How Did Marriott International Employees Fall Victim to a Data Breach?

Marriott International told some of its employees that their social security numbers (SSNs) had been exposed to an unknown person. The risk came from a vendor that handled documents for the hotel chain.

On September 4, 2019, Marriott found out that someone access information recorded on those documents, which included subpoenas and court documents. The notification, which came two months after the incident, merely stated that someone may have accessed the records, which is all hotel representatives claim to know. The potential breach impacts over 1,500 Marriott employees. On October 30, the hotel started sending notifications via regular mail for anyone it hadn’t been able to find.

Those impacted will receive free credit monitoring as well as identity theft protection for one year at the company’s expense. Notification and credit monitoring services are part of recent data breach laws, but one must wonder what took Marriot so long to notify the victims.

Why Did Marriott Have a Difficult Time Finding Victims?

Marriott received a list of those impacted, but most had no address. This may be the most significant factor in the delay. And, it’s not an unusual one. Company records breached by hackers may be incomplete in the best of circumstances, and this information was sitting in several external systems.

The unnamed firm said all Marriott employee data was deleted from its system. One of the problems in cases like this is storing data in multiple systems, which increases the risk of theft and data breaches. Marriott no longer partners with the vendor.

What Are Your Company’s Responsibilities in Case of a Data Breach?

The FTC recommends following these steps, some of which are legally required.

Secure your Operations

Move quickly to take whatever steps are needed to secure your systems. Otherwise, your data breach can result in a series of breaches. Mobilize or form a breach response team to shore up your network against further loss.

Fix Vulnerabilities

As part of the fix, you need to anticipate questions that clients, associates and the authorities may have. Put together clear questions and answers to post on your website. Direct communication may ease frustration and concerns, especially if it takes some time to identify those impacted, as in the Marriott cases.

Work with forensic experts to track to determine what records were at risk.

Notification

Most states, the District of Columbia, the Virgin Islands and Puerto Rico have passed legislation regarding notification of security breaches. You must notify the affected parties when personal information is involved. Check the laws in your state as well as the federal laws and consult with your legal team regarding your responsibilities.

More Like This

How Microsoft Dataverse Helps Your Organization Store and Manage App Data Securely

How Microsoft Dataverse Helps Your Organization Store and Manage App Data Securely Microsoft Dataverse is a software as a service (SaaS) solution capable of resolving wide-ranging data management and businesses’ storage issues. As an ever-increasing number of organizations generate a large amount of data, there is a need to manage it securely and efficiently. Thus, …

How Microsoft Dataverse Helps Your Organization Store and Manage App Data Securely Read More »

Read More

AA21-055A: Exploitation of Accellion File Transfer Appliance

Original release date: February 24, 2021 Summary This joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia,[1] New Zealand,[2] Singapore,[3] the United Kingdom,[4] and the United States.[5][6] These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA).[7] This activity has impacted organizations globally, including …

AA21-055A: Exploitation of Accellion File Transfer Appliance Read More »

Read More

AA21-048A: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware

Original release date: February 17, 2021 Summary This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. This joint advisory is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency …

AA21-048A: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware Read More »

Read More

How IT Consulting Companies Can Help Overcome Technology Challenges

How IT Consulting Companies Can Help Overcome Technology Challenges Information technology helps businesses of varying sizes to enhance operations and thrive. To maximize the benefits of technology, businesses often enlist the help of established IT consulting companies. With the assistance of highly skilled consultants, organizations empower themselves with the right tools to bolster innovation and overcome …

How IT Consulting Companies Can Help Overcome Technology Challenges Read More »

Read More

AA21-042A: Compromise of U.S. Water Treatment Facility

Original release date: February 11, 2021 Summary On February 5, 2021, unidentified cyber actors obtained unauthorized access to the supervisory control and data acquisition (SCADA) system at a U.S. drinking water treatment plant. The unidentified actors used the SCADA system’s software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, …

AA21-042A: Compromise of U.S. Water Treatment Facility Read More »

Read More

Pros and Cons Of Outsourcing Your IT Support To A Managed Services Provider

Pros and Cons Of Outsourcing Your IT Support To A Managed Services Provider Paper or plastic? Cash or charge? MSP or in-house IT? There are many choices that you need to make on a daily basis, some personal and some related to keeping your business running. However, the last question can have a serious impact …

Pros and Cons Of Outsourcing Your IT Support To A Managed Services Provider Read More »

Read More