Carlucci’s Column: Protecting Your Data Following Marriott Breach


Recently, Marriott made headlines because of one of the largest data breaches in history, possibly exposing as many as 500 million customer’s personal and sensitive information. Data compromised included: people’s names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood preferred guest loyalty program information, and more. Anyone who made a reservation since 2014 at W Hotels, St. Regis, Sheraton Hotels & Resorts, Aloft Hotels, Westin Hotels & Resorts, Four Points by Sheraton, The Luxury Collection, Element Hotels, Le Méridien Hotels & Resorts, Tribute Portfolio, and Design Hotels could become a victim of identity theft.

This is why I am calling on Marriott to pay for any impacted customer’s credit freeze on their accounts. A credit freeze with the major credit monitoring firms will stop someone from opening up a new line of credit by using a victim’s name, and prevent identity theft. Usually there is a $5 fee associated with each time you freeze and unfreeze your credit, and consumers should not have to foot the bill for Marriott’s blunder.

Almost as bad as the hack, Marriott’s timeline for disclosure. Hackers had reportedly been in the Marriott system for four years, before the company was alerted by internal security tools to an unauthorized user on September 8th. Then, it was not until Nov. 19th that the company realized what information hackers had stolen. At no point early on were customers notified of a possible breach. This in turn, left their information vulnerable for months when they could have put a credit freeze in place. This is why I sponsor legislation (S.6891), requiring that a preliminary notification that a breach may have occurred be sent to the Attorney General within 24 hours and to all effected parties within 48 hours.

However, until companies like Marriott update their data security protections and software, New Yorkers and Americans are left at risk. In New York breaches have reached an all-time high. In 2017, the state’s Attorney General reported nearly 1600 breaches, exposing 9.2 million New Yorkers’ personal information. That is more than quadruple the number of people impacted in 2016.

This is why we must pass the SHIELD Act (S.6933B), which would require companies put in place stricter data security safeguards so sensitive data is protected. The legislation would also change how companies report data breaches. For instance, private companies would be required to report hacks even when the personal data compromised is not specifically linked to social security numbers or driver license numbers. This means if username and password combinations appear to be hacked then a company must notify consumers and the New York State Attorney General. Additionally, companies would have to report breaches even if they do not conduct business in New York, if a New York resident’s information is compromised. Now millions of people could know sooner if their sensitive information is exposed and possibly prevent identity theft.

You must be logged in to post a comment Login