By Patrick Connelly, originally published in Buffalo Law Journal, Buffalo Business First on Jan 21, 2019, 6:00am EST.

Protecting Consumer Data is a Constant Battle for Legal Pros


We’ve all seen the news stories about hackers that gain access to sensitive information held by companies, exposing the private data of millions of people to the dark web.

Most recently, Marriott International revealed that hackers breached its Starwood guest reservation database, which had information about 500 million guests. The breach enabled access to names, email addresses and credit card, phone and passport numbers.

“It looks like Marriott’s issue arose from hackers gaining access to Starwood’s systems as early as 2014,” said Christopher Hayes, special counsel at Phillips Lytle LLP.

“Credit card information is typically the most sensitive when you deal with a hotel,” said F. Paul Greene, a partner at Harter Secrest & Emery LLP.

Both attorneys focus on data security and privacy.

Greene said consumers are particularly vulnerable when, in breaches, hackers steal log-in information for a site, Greene said.

Many people use the same log-in information for a variety of websites and these sort of breaches can give hackers leads to acquire more of a consumer’s data via other online portals.

“All data is of value to somebody. They’ll connect the dots,” Greene said.

Securing data

In establishing cyber security safeguards, Hayes said, “It’s really about identifying what kind of information you have and where it’s housed on your system and who touches it.”

Many businesses use third-party platforms and services to process payments and other sensitive information, he said.

“It might just not be (all) internal folks (handling data),” Hayes said. “Identify what information you have and how you’re keeping it and who’s doing what with it.”

Companies involved in mergers and acquisitions must be careful when data is transferred and businesses must take precautions through due diligence, according to Hayes.

“In today’s world, cyber security and cyber vulnerability have risen to such importance,” he said. “You hope that you’re not buying a company that has an issue like Starwood has.”

In the process, companies should examine data policies and procedures their targets have in place, as well as the technical controls and approaches they use, Hayes said.

Determine if data is compromised

Marriott sent affected customers emails shortly after the announcement of the breach to alert them, but that’s not always the case. Credit monitoring tools such as Kroll also can be of assistance, Greene said.

The corporate investigations and risk consulting firm based in New York City can assist individuals in detecting signs of identity theft that include fraudulent credit activity, according to its website. When a breach occurs, Kroll can monitor your credit profile and work with you to determine exactly what data was breached and if credit monitoring is the right solution, the website said.

If data is compromised, Greene said individuals should alert the creditor, put a freeze on their account or accounts and inspect account activity to see what damage may have been done.

Experts also advise to contact the state attorney general, the Federal Trade Commission and even police.

The future of data security

“We’re in a whole new era in relation to data breach notification,” Greene said.

Under the General Data Protection Regulation that took effect in 2018, companies doing business internationally have 72 hours to conduct an investigation of what’s been compromised, to inform authorities and draft a plan to further contain and mitigate a breach.

California introduced the Consumer Privacy Act, which Greene said is similar in form to the GDPR. It’s also a template for other states to follow.

“Strong privacy regulation is a winner for anyone who can champion it,” he said.