In 2018, Marriott International faced a significant cybersecurity incident when it was revealed that the Starwood Hotels reservation database had been compromised. This breach, which actually began in 2014 before Marriott acquired Starwood in 2016, exposed the personal information of up to 500 million guests, making it one of the largest data breaches in history.
Background of the Breach
The breach involved unauthorized access to Starwood’s guest reservation database, where hackers were able to access sensitive data, including names, addresses, phone numbers, email addresses, passport numbers, and even payment card information. The breach went undetected for four years and was only discovered in 2018.
Marriott’s Response and Insurance Claim
After the breach was discovered, Marriott took immediate steps to mitigate the damage, including notifying affected customers, offering credit monitoring services, and enhancing its cybersecurity measures. Additionally, Marriott faced several regulatory fines, lawsuits, and reputational damage.
To cover the costs associated with the breach, including legal fees, fines, and customer compensation, Marriott turned to its cyber insurance policies. Cyber insurance is designed to help companies manage the financial fallout from cyber incidents like data breaches. Marriott had obtained cyber insurance coverage to protect against such risks, which helped the company manage the significant financial burden resulting from the breach.
Key Issues and Legal Challenges
One of the critical issues in the Marriott case was whether the cyber insurance policies covered the breach since it originated before Marriott’s acquisition of Starwood. Insurers argued that the breach’s pre-acquisition origins could limit or exclude coverage. This led to complex legal disputes over the interpretation of policy language, particularly concerning the timing of the breach and the transfer of liabilities from Starwood to Marriott.
Lessons Learned
The Marriott/Starwood cyber insurance case highlights the importance of thorough due diligence during mergers and acquisitions, especially in the context of cybersecurity risks. Companies acquiring others need to assess the cybersecurity posture of the target company and ensure that their insurance policies adequately cover potential pre-existing vulnerabilities.
Moreover, the case underscores the importance of having comprehensive and well-negotiated cyber insurance policies that clearly define coverage terms, including scenarios involving mergers and acquisitions. It also serves as a reminder that cybersecurity should be a top priority in corporate governance to protect both the company and its customers from potential harm.
In summary, the Marriott International/Starwood cyber insurance case is a landmark example of the complexities involved in dealing with data breaches, particularly in the context of mergers and acquisitions, and the crucial role that cyber insurance plays in managing the financial impact of such incidents
