Harvard Business Review Highlights Lessons to be Learnt from Marriott Breach

The Harvard Business Review recently published an article online outlining what senior managers and regulators can learn from the recent data breach at Marriott Hotels, which may have impacted up to 383 million individuals. The article, written by Shivaram Rajgopal, Professor of Accounting and Auditing and Vice Dean of Research at Columbia Business School, and Bugra Gezer, founder CEO of Cyber Rate LLC, considers what this breach means for data privacy in the US and around the globe.

Marriott Hotels may face a significant find under the EU’s General Data Protection Regulation (GDPR), which stipulates that fines of 4% of the annual global revenue must be paid if the legislation is violated.

The Marriott Hotels breach may have compromised at least 25 million passport numbers and 8 million payment cards. The organisation waited 11 weeks before releasing information about the breach-which the article’s authors deemed an unacceptable delay.

The key findings of the article are outlined below.

1. Organisations Fail to Meet Breach Reporting Deadlines

According to the authors, companies fail in reporting data privacy violations within the applicable deadlines. Furthermore, enforcement bodies fail to levy the appropriate penalties against organisations who do not stick to these deadlines. Marriott did not report the data breach for over 11 weeks. GDPR stipulates that data breaches should be reported within 72 hours of their discovery. Therefore, if any of the compromised data pertained to EU citizens (and it is highly likely that it does), the company has violated GDPR.

2. Mergers & Amalgamations Pose a Risk to Data Security

The Marriott data breach investigators discovered that the violation occurred on a database belonging to Starwoods, a company merged with Marriott as part of a new business arrangement. The Harvard Business Review authors stated that ‘regulators should consider imposing disclosure requirements about the company’s plan to protect the data infrastructure after a merger’.

3. Cyber Breaches Can Have Wide-Reaching Impacts

Should a hacker gain access to one primary database, they have a foothold into the network and can then target each system that this database connects with. This ‘systemic cyber risk’ can affect an organisation’s entire supply chain. For example, if a large company is outsourcing an order system or payslip software, then it is possible that the hackers can log onto this system and commit further data breach violations.

4. Company Boards Should Experts on Cyber Security

The authors of the report highlighted that of Marriott’s 13 board members, none are experts in cybersecurity, despite the vast amount of customer data held by the organisation. Furthermore, there was no cybersecurity sub-committee established.

The authors concluded by saying: “We believe that regulators could get companies to focus on cyber readiness and the attendant systemic cyber-risk exposure by forcing boards of directors to make representations on the cybersecurity exposure of the company. Once the board is ‘on the hook’ corporate accountability should improve and mitigate the damage from cyber breaches to customers and to society as a whole. Many companies could learn from Marriott’s story and consider in detail how they would handle such a major data breach.”