Marriott proposals to strengthen data privacy following data breach fallout

Marriott president and CEO, Arne Sorenson has described potential changes in its cybersecurity approach to a governmental subcommittee in the US.

Mr Sorenson said:

“Part of our strategy going forward is to rely on encryption and tokenisation to say, ‘Whatever data we keep in this space, for example, it should all be encrypted.’ That, by itself, is not necessarily a totally adequate defence, but it is one of the tools we should use.”

The Marriott boss is also considering the decentralisaiton of data, so that information remains at the hotels in which it was collected.

But tech expert, Thomas Jackson, who chairs law firm Phillips Nizer’s tech practice group has expressed fears that the measures are not enough.

“Typically, large enterprises have far more sophisticated means of protecting against intrusions than smaller businesses do,” Mr Jackson said.

Marriott also intends to encrypt all passport data, and is looking at the length of time it retains payment card details.

Jackson said that he found the way in which the hotel group dealt with passport information to be “particularly alarming”, adding that the data does not need to be held indefinitely. The requirements for retaining such information can be satisfied by “simply requesting the data anew at the point they are required to collect it,” Mr Jackson added.

Mr Sorenson also underlined the absence of “substantiated claims of loss from fraud attributable” to the breach on the group’s Starwood division database. Experts brought in to investigate the breach’s ramifications have not found any passport data being put up for sale on the dark web. The passport numbers themselves have also been nullified and cannot now be used for travel or to secure new official documentation of any kind.

While Mr Sorenson has not been able to say who, Marriott believes, is behind the record-breaking data breach, secretary of state, Mike Pompeo said last year that he felt China may have been responsible.

Mr Jackson was also critical of Marriott International for the time it took to publically reveal that the data breach had taken place.

After being told of the intrusion on the Starwood system on September 8th 2018, the company realised that guests’ personal data had been impacted on the 19th November, and did not disclose the revelations until 11 days later.

“I am not a big believer that a company that is breached should wait to inform the affected parties until [the company has] more information,” Jackson said.

More broadly in the US, California is looking at pushing forward with its legislation on data security. The Starwood data breach has been a driver, a spokesperson has said, to a bill being put forward that would force companies to alert customers whose passport and biometric data were breached. This would build upon standard alerts in place for breaches in data such as social security numbers, driving license numbers and medical information.

A second bill would develop terms upon which users can sue companies that fail to inform consumers about how their personal data is used, under the California Consumer Privacy Act.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.