Marriott breach spurs new privacy law push

Lawmakers are fired up after Marriott International suffered what is believed to be the nation’s second-largest data hack, in which hundreds of millions of its customers had their personal data stolen.

The massive exposure of personal information from the brand’s Starwood Hotels reservation database quickly led to calls for tougher legislation to protect customers’ data privacy.


Sen. John KennedyJohn Neely KennedyMORE (R-La.) told The Hill on Tuesday that he is crafting privacy legislation to address these kinds of hacks and expressed frustration over the wave of recently revealed, massive data breaches.

Kennedy, who said he is in the early stages of writing the bill, declined to provide details on what exactly it will include. Still, he said that Congress has “got to start” the discussion on holding companies accountable when users’ private data is exposed.

“Right now there’s a lot of chopping, but I don’t see any chips flying. Everybody’s talking, but nothing’s moving in terms of legislation,” Kennedy said.

Marriott International revealed on Friday that it had suffered from a massive hack dating back to 2014, in which the personal data of 500 million of its customers was compromised.

The company says it’s working to address the breach, including starting a website and call center for customers who may have had their data exposed.

Marriott said last week that it received an alert in early September about an attempt to access their Starwood guest reservation database. The hacker “copied and encrypted information” and then took steps toward removing it. That information turned out to be the guest database, according to the company’s investigation of the hack.

The passport numbers of up to 327 million guests also may have been exposed in the breach. Senate Minority Leader Charles SchumerCharles (Chuck) Ellis SchumerSchumer, Pelosi push Trump to back universal background check bill Sinema says she would back Kennedy in race against Markey Democrats threaten to withhold defense votes over wall MORE (D-N.Y.) has called for the chain to pay for new passports for those impacted, and a Marriott spokesperson told MarketWatch on Tuesday that it will cover those costs if they determine fraud has taken place.

“Marriott deeply regrets this incident happened,” the company said in a Friday blog post. “Marriott reported this incident to law enforcement and continues to support their investigation. The company has already begun notifying regulatory authorities.”

The breach has already caught the scrutiny of both federal and state governments, with New York Attorney General Barbara Underwood (D) announcing just hours after Marriott revealed the hack that she was launching an investigation.

Kennedy expressed concern over the increasing frequency of data breaches, saying that Americans are “becoming desensitized” to their personal information ending up in the hands of hackers.

“In today’s world, I’m not sure you can be 100 percent secure,” Kennedy told The Hill. “But it clearly has to be a priority.”

Marriott is one of just a number of companies hit by significant data breaches that have affected millions in recent years.

Quora announced on Monday that the personal data of roughly 100 million users of the question-and-answer site may have been compromised. Dunkin’ Donuts also announced a breach last week. Orbitz, Under Armour, Facebook and Google are other companies that have disclosed breaches just in the current year.

But the scale of Marriott’s hack has caught the attention of lawmakers from both sides of the aisle and raised questions about whether companies are improving their handling and response to breaches.

Republicans on the Senate Commerce Committee sent a letter on Tuesday to Marriott International CEO and President Arne Sorenson requesting details on the extent of the data breach and what steps the chain is now taking to protect customers’ data.

On the other side of the aisle, Sen. Ron WydenRonald (Ron) Lee WydenOvernight Energy: California, 23 other states sue Trump over vehicle emissions rule | Climate strike protests hit cities across globe | Interior watchdog expands scope of FOIA investigation | Dems accuse officials of burying climate reports Microsoft to provide free updates for voting systems running Windows 7 through 2020 Interior watchdog investigating political appointees' review of FOIA requests MORE (D-Ore.) seized the opportunity to tout drafting legislation to create stricter penalties for companies that have been hacked.

“If history is any guide, @Marriott’s mega data breach will be treated like all the others: the company will apologize & offer useless credit monitoring to the victims impacted. The status quo isn’t working,” Wyden tweeted Friday.

Rep. Bennie ThompsonBennie Gordon ThompsonHillicon Valley: Zuckerberg to meet with lawmakers | Big tech defends efforts against online extremism | Trump attends secretive Silicon Valley fundraiser | Omar urges Twitter to take action against Trump tweet Homeland Security chairman calls on new Trump aide to reestablish cyber coordinator House Democrat urges Trump to address online extremism at UN MORE (D-Miss.), the ranking member of the House Homeland Security Committee and the panel’s likely incoming chair, also sent a letter to the Marriott CEO this week, requesting a meeting to discuss the breach.

“I am disturbed by the evolving scale and scope of data breaches affecting Americans, the types of actors who may be interested in the data, and the nefarious purposes for which bad actors might use stolen data,” Thompson wrote.

Rep. Jamie RaskinJamin (Jamie) Ben RaskinDemocrats bicker over strategy on impeachment Overnight Defense: Trump says he has 'many options' on Iran | Hostage negotiator chosen for national security adviser | Senate Dems block funding bill | Documents show Pentagon spent at least 4K at Trump's Scotland resort Top Oversight Democrat demands immigration brass testify MORE (D-Md.), whose district is home to Marriott International, told The Hill on Monday that he believes that the company is trying “to be as transparent as it can be but they don’t have a clear idea as to how it happened.”

Lawmakers’ renewed scrutiny of companies’ data privacy practices comes after Congress repeatedly stumbled in its efforts to address the matter legislatively.

Revelations that 143 million Americans had their sensitive data — including Social Security numbers — exposed in the 2017 Equifax breach similarly sparked a public uproar and calls for change. But despite congressional hearings and broad support, lawmakers failed to pass a bill to protect consumers’ data.

With no federal privacy standard, states are filling the void with their own laws. But that has also brought pushback from businesses who worry about complying with a patchwork of different laws across the country.

The spotlight on data privacy was brought to the forefront again earlier this year following revelations that Cambridge Analytica — the data firm the Trump campaign used during the 2016 presidential election — had obtained and kept the private information of 50 million Facebook users without their permission.

The firm helped the campaign target voters based off the information, sparking a wave of anger at Facebook CEO Mark ZuckerbergMark Elliot ZuckerbergFacebook announces tens of thousands of app suspensions after internal audit On The Money: Trump downplays urgency of China trade talks | Chinese negotiators cut US trip short in new setback | Trump sanctions Iran's national bank | Survey finds Pennsylvania, Wisconsin lost the most factory jobs in past year Hillicon Valley: Lawmakers say Zuckerberg to 'cooperate' on antitrust probes | Dems see victory after McConnell backs election security funds | Twitter takes down fake pro-Saudi accounts MORE and the social media platform over its faulty efforts to safeguard customers’ data from third-party collection.

Whether the Marriott breach can bring Congress to a tipping point remains to be seen.

Kennedy said Tuesday he is frustrated that companies like Facebook haven’t done enough to address privacy and security concerns on their own, suggesting that they are forcing lawmakers’ hands.

“I had hoped that companies, including but not limited to social media companies, would come forward with some ideas for Congress to address this problem, but they haven’t,” he said. “And I think Congress is going to have to address it itself.”

Alex Gangitano contributed.