Are GDPR Class Action Lawsuits the Next Big Headache for Data Professionals?

Class-action GDPR lawsuits related to data issues is the next major infosec pain point for data professionals. Marriott’s class-action style suit comes a year and a half after the 2018 data breach that stemmed from a flaw in the hotel’s reservation and database system. Sagi Leizerov, SVP of Enterprise Privacy Solutions at Dataguise says it is time for organizations to draw learnings from this and strengthen data protection by investing in the right privacy and security controls. Also, a clear subtext here is how companies should prioritize cybersecurity due diligence in mergers and acquisitions.  

An interesting class-action style suit has been filed in the U.K. against Marriott International for the breach it experienced last year. The suit Opens a new window should be considered pivotal for several reasons that will be of particular interest to privacy, information security, and data protection professionals. Before delving into the details of this legal action, here is a quick refresh on the breach.

From 2014 to 2018, hackers gained access to Starwood Hotels Group’s systems that contained customer personal data. Marriott acquired Starwood in 2016 and did not detect the breach either.  The U.K.’s Information Commissioner’s Office (ICO) claimed that when Marriott purchased Starwood, Marriott neglected to perform thorough research and could have done more to protect its systems. 

As per ICOOpens a new window , the incident revealed a variety of personal data stored in approximately 339 million guest records worldwide, of which approximately 30 million were linked to citizens of 31 European Economic Area countries. Marriot was fined about $130 million by the ICO.  In a statement, the U.K.’s Information Commissioner Elizabeth Denham indicated that the high fine is due to Marriott’s failure of accountability demonstrated by its lack of due diligence when acquiring Starwood.

Learn More: GDPR is Two Years Old, But Compliance Still Confuses

What’s So Interesting About Marriott’s Class Action Suit? 

1. The breached personal data was not sensitive. Hackers gained access to names, email and postal addresses, telephone numbers, gender, and credit card data. The data did not include the special categories of personal data that are listed in Article 9 of the General Data Protection Regulation. In fact, most of the exposed elements are commonly shared or easily found in public sources.
2. No claim of harm to the impacted individuals. This legal action goes after Marriott for failing to demonstrate accountability over personal data, as stated by Commissioner Denham, not because any of the exposed customers were actually adversely impacted by the breach. If anyone should have a legitimate claim of harm against Marriott, it’s the credit card companies that must pay for the fraudulent transactions done on their cards, not the cardholders.
3. Legal financing firms show an interest in privacy. Companies that make their money by funding lawsuits and taking a percentage of the settlement (sometimes referred to as litigation funders) are starting to pay attention to the data protection space. This legal action is being fully funded by Harbour Litigation Funding, a global litigation funder. Pay attention to data professionals – the sharks are circling your boat.
4. Class action suits are not common in the European Economic Area. We usually associate these types of legal actions with the American litigation system. It should be known that class action lawsuits are not an American invention. This type of legal action started in Britain. More importantly for those companies falling under the jurisdiction of the GDPR, a cursory review of legal mechanisms in Europe shows that Italy, the Netherland, Poland and Spain also allow for class action suits for the protection of consumers.

Learn More: The Most Common Misconceptions about GDPR and Data Processing

Want to Avoid a GDPR Class Action Lawsuit?

Here is what we can learn from this case about data and accountability failures that can lead to legal action.

1. Find all the personal data. Don’t just look for the data of EEA residents. The GDPR cast a wide net of applicability that goes beyond the data subjects’ country of residence.
2. Don’t just protect the data, minimize it. Minimization can be applied with various means, including masking and encryption, and can be based on the data location (e.g., not putting all the eggs in one basket), volume, users’ roles, and data retention considerations.  
3. When acquiring or merging with another company, assess and remediate any gaps in implementing the appropriate privacy and security controls.
4. You can’t be breach-proof, but with the right tools, you can be smart about detecting and stopping breaches.  

These four points cannot be addressed through internal surveys, interviews and training.  To do it right, you must adopt technology solutions. Adopting new technologies will require an investment of time and money, but so does addressing corrective actions from regulators and class action lawsuits.  Can you guess which one is more costly?   

Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!