Caveat – this blog relates to news items that appeared in second week of December 2018, after the breach disclosure was made by Marriott on November 30th 2018. Very little information besides the duration of the breach (from 2014) and the potential number of guests affected (around 500 million) is known at this time.
As a victim of the Starwood’s breach, you could either be a guest whose personal details were stolen or the establishment whose credibility and reputation is at stake when the data was stolen from it.
If you’ve been a guest of the Starwood’s chain of hospitality units, here are a few things you could do:
- Look up the official website for the latest updates on the breach.
- Sign up for the free Web Watcher Enrollment, if it applies to your country.
- Check your personal details on the Have I Been Pwned security site to see if your details have been compromised.
- Be alert for any suspicious activities that could arise from the identity theft.
In the unfortunate event of finding your personal details breached, what remedies do you have?
I’m going to focus on the GDPR (General Data Protection Regulation) – it being the most comprehensive legislation to protect the rights and freedoms of individuals.
If the GDPR is applicable to you, as a data subject who has been impacted by this breach, you can:
- Lodge a complaint with the supervisory authority of the member country in which you reside or work or place of alleged infringement (Art. 77).
- Apply to the courts for an effective judicial remedy (Art. 79).
- Connect with an appropriately constituted not for profit body, organization, or association to represent your interests (Art 80).
- Seek compensation for material or non-material damages (Art 82)
“Currently many companies opt for inadequate data security because it’s cheaper than the consequences of a data breach,” says John M. Simpson, project director for privacy and technology at Consumer Watchdog. “The Consumer Privacy Act fixes that and would hold companies accountable.”
However, as an organization, adopting the above approach is shortsighted. In the consideration of administrative fines (Art 83 of the GDPR), the supervisory authority will have due regard to the intentional or negligent character of the infringement, and the degree of responsibility of the controller taking into account the technical and organizational measures implemented. Therefore, it is imperative that organizations put in place a program for managing GDPR (or any other privacy program) compliance.
It is likely that the supervisory authorities would gravitate towards such a measure. Until then, organizations would be wise to implement a strong governance program.
Disclaimer: This blog does not purport to provide legal advice. Please contact the appropriate authorities for legal advice.
To find out how our compliance tracking services can help your organization stay on top of your data protection initiatives, contact Geetha Jayaraman.
Learn more about how Capgemini’s GDPR services can help you with your compliance.
Geetha Jayaraman helps organizations leverage their use of technology by managing risks to achieve organizational objectives. She uses her experience to facilitate digital transformation of organizations through the adoption of the right technology solutions. As an expert in cyber security, she has guided many organizations in balancing risk with the adoption of technologies. Prior to her current role in Information Risk Assurance at Capgemini, she worked with several large technology service providers to bridge business objectives with ICT solutions.