Beginning in 2014,malwareinfected the reservation system ofStarwoodHotels, which included Sheraton, W Hotels,Westin, LeMeridien, Four Points by Sheraton, Aloft and St. Regis.Then, in 2016, Marriott Hotels acquiredStarwood. In November 2018, Marriott discovered and revealed the four-year hacking campaign that attackedStarwood'sreservation database.
A total of 383 million guests were eventually determined to have been affected. The data breach related in the theft of names, addresses, phone numbers, credit card information, email addresses, and millions of unencrypted passport numbers.The Data Breach has arguably subjectedStarwoodto legal liability both in the US (data breach and breach notification laws) and in the EU (the EU General Data Protection Regulation —GDPR).
In your initial post, please answer both of the following questions:
1. Choosing either a US state data breach law or the EU GDPR and explain how it applies or has already been applied toStarwoodfor its data security breach.
2. Using your best judgment,what would you recommend to create and maintain an infrastructure that would most robustly and effectively protect against future breaches and the liabilities resulting from those breaches?Include any specifics you may be familiar with such as hardware and software recommendations, compliance with specific US andinternational laws, industry best practices, and any appropriate third-party vendor solutions.