Data Breaches and Cybersecurity: What the hospitality industry can learn from the Marriott breach

Today’s revelation by Marriott International that a data breach exposed the names and personal details of over 500 million guests sent a shudder throughout the hospitality industry worldwide.

Hoteliers know they are an appealing target for hackers as their databases contain identifying and financial information for very large numbers of people, and they have systems that by necessity must be accessible to many different levels within the company. Because privacy laws in the US, the EU (and other countries around the globe) are becoming increasingly stringent, hoteliers are also keenly aware that the retention and use of guests’ personal information now comes with greater potential liability than ever before.

It is time for hotel brands, and hotel owners and operators, to create effective and comprehensive privacy and cybersecurity policies, procedures and systems.

For JMBM’s Hotel Law Blog, I have outlined some key takeaways from the Marriott International breach. To read the blog,  see  Avoiding Hotel Data Breaches With a Risk Assessment Audit – Lessons From the Marriott International “Glitch”

—  Bob Braun

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.