BOOK AN APPOINTMENT WITH AN IT SPECIALIST TODAY

What Are Your Company’s Responsibilities Following a Data Breach?

Learn from Marriott’s Example: Notification Responsibilities After a Data Breach

Most states, the District of Columbia, the Virgin Islands and Puerto Rico have passed legislation regarding notification of security breaches. Know the laws in your state.  

Cyberbreach Marriott

To answer this question, let’s start with the example experienced by Marriot International recently when a breach exposed the social security numbers of the hotel chain’s associates. Then, we’ll look at the federal and state requirements for notifying those impacted by a breach that involved their data.

How Did Marriott International Employees Fall Victim to a Data Breach?

Marriott International told some of its employees that their social security numbers (SSNs) had been exposed to an unknown person. The risk came from a vendor that handled documents for the hotel chain.

On September 4, 2019, Marriott found out that someone access information recorded on those documents, which included subpoenas and court documents. The notification, which came two months after the incident, merely stated that someone may have accessed the records, which is all hotel representatives claim to know. The potential breach impacts over 1,500 Marriott employees. On October 30, the hotel started sending notifications via regular mail for anyone it hadn’t been able to find.

Those impacted will receive free credit monitoring as well as identity theft protection for one year at the company’s expense. Notification and credit monitoring services are part of recent data breach laws, but one must wonder what took Marriot so long to notify the victims.

Why Did Marriott Have a Difficult Time Finding Victims?

Marriott received a list of those impacted, but most had no address. This may be the most significant factor in the delay. And, it’s not an unusual one. Company records breached by hackers may be incomplete in the best of circumstances, and this information was sitting in several external systems.

The unnamed firm said all Marriott employee data was deleted from its system. One of the problems in cases like this is storing data in multiple systems, which increases the risk of theft and data breaches. Marriott no longer partners with the vendor.

What Are Your Company’s Responsibilities in Case of a Data Breach?

The FTC recommends following these steps, some of which are legally required.

Secure your Operations

Move quickly to take whatever steps are needed to secure your systems. Otherwise, your data breach can result in a series of breaches. Mobilize or form a breach response team to shore up your network against further loss.

Fix Vulnerabilities

As part of the fix, you need to anticipate questions that clients, associates and the authorities may have. Put together clear questions and answers to post on your website. Direct communication may ease frustration and concerns, especially if it takes some time to identify those impacted, as in the Marriott cases.

Work with forensic experts to track to determine what records were at risk.

Notification

Most states, the District of Columbia, the Virgin Islands and Puerto Rico have passed legislation regarding notification of security breaches. You must notify the affected parties when personal information is involved. Check the laws in your state as well as the federal laws and consult with your legal team regarding your responsibilities.

More Like This

AA20-301A: North Korean Advanced Persistent Threat Focus: Kimsuky

Original release date: October 27, 2020 Summary This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques. This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of …

AA20-301A: North Korean Advanced Persistent Threat Focus: Kimsuky Read More »

Read More

Getting Started With Microsoft Teams?

Getting Started With Microsoft Teams? What drives workplace performance? A few years ago, a Stanford study published in the Journal of Experimental Social Psychology suggested that workplace performance was driven by collaboration. In fact, just the thought of collaboration was enough to improve performance. One interesting statistic: 64% of employees working collaboratively had higher success rates than …

Getting Started With Microsoft Teams? Read More »

Read More

AA20-296B: Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems

Original release date: October 22, 2020 Summary The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process. …

AA20-296B: Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems Read More »

Read More

AA20-296A: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets

Original release date: October 22, 2020 Summary This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques This joint cybersecurity advisory—written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)—provides …

AA20-296A: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets Read More »

Read More

MFA Bug Opens Door For Hackers To Attack Microsoft 365

New and heightened digital threats develop every day, and having standard security software may not be enough to protect your personal data and business from exploitation from malware attacks. Businesses across industries are vulnerable to new attacks, as many security software lags behind. Hackers find ways to work around the most common security platforms to …

MFA Bug Opens Door For Hackers To Attack Microsoft 365 Read More »

Read More

What Is The Dark Web?

What Is The Dark Web? Are your company’s data and network secure? Solidly secure? Or, are you worried you may have been hacked, putting sensitive data at risk? You may be wondering about the latter if you’re looking up information on the dark web and how it may impact your business. Because, indeed, if you …

What Is The Dark Web? Read More »

Read More