Yesterday, I linked to an article from the U.S. Federal Trade Commission claiming that it is actually really serious about cracking down on privacy violations, citing several laws it apparently has at its disposal. But that was all of one day ago.
Karl Bode, Techdirt:
Case in point: Marriott revealed the company had been compromised for the third time in the last seven years or so. This time around, hackers managed to grab 20 gigabytes of valuable customer data, including credit card numbers and other personally identifiable information, by tricking an employee into giving them access to their computer.
Here’s the thing, though. Hackers had already breached the hotel chain in 2014, gaining access to 340 million guest records planet wide. That hack wasn’t even revealed until 2018, at which point Marriott saw a $123 million fine its lawyers were able to talk down to $24 million. Another 5.2 million guests had their data breached in another 2020 attack. Lawsuits for the first, 8 year old hack are still ongoing.
While the first breach affected hotel patrons worldwide, Marriott was only fined by European regulators via the United Kingdom. The FTC acknowledged Marriott’s failure to secure sensitive data from guests — including passport numbers and credit card details — but did not issue a fine. In May — yeah, just two months ago — a judge permitted a lawsuit against Marriott and Accenture. Marriott will, in all likelihood, face financial penalties for this breach, but it is not because of regulators.
That paragraph I just wrote is entirely about the 2014–2018 breach. There are, now, another two breaches Marriott must answer for. Is each one of those going to become a class action lawsuit in which this one company may pay some compensation while regulators ignore the industry at large? That would be idiotic. But it is hard to know whether there is anything the FTC can do when the laws it has to enforce privacy and security failures are so limited in scope.