Articles Posted in International Law

On August 5, 2019, Marriott International announced that it had taken a $126 million charge in the second quarter, primarily as a result of the data breach it announced in 2018.  Coincidentally, on July 9, 2019, The United Kingdom’s Information Commissioner’s Office (ICO), which enforces the General Data Protection Regulation (GDPR) in the UK, announced that it intends to impose a fine of £99,200,396 ($123,705,870) on Marriott for last year’s data breach.

As was widely reported, in November 2018, Marriott disclosed that hackers accessed the Starwood guest reservation database since 2014. Initially, the company said hackers stole the details of roughly 500 million hotel guests, which the hotel chain later corrected to 383 million following a more complete investigation.  Still, 383 million records is nothing to be laughed at.

The hackers stole a breathtaking array of sensitive data:

  • 383 million guest records
  • 5 million encrypted passport numbers
  • 25 million unencrypted passport numbers
  • 1 million encrypted payment card numbers
  • 385,000 card numbers that were still valid at the time of the breach

What went wrong? What can be distilled from Marriott’s experience that other companies can apply in their efforts to comply with the GDPR?

For JMBM’s Hotel Law Blog, I have outlined some important lessons learned, particularly for U.S. companies with business with Europe. To read the blog, see Cybersecurity Lawyer: Lessons from Marriott’s $123 million GDPR fine.

— Bob Braun

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

In their column, Top 10 cybersecurity predictions for the new year, Robert Braun and Michael Gold, co-chairs of JMBM’s Cybersecurity & Privacy Group offer predictions on federal privacy legislation (they won’t pass any and if by chance they do, it won’t work), data localization (more companies will have to decide whether to maintain services in foreign jurisdictions or leave those markets), governance (companies will get finally  get real about enforcing written cybersecurity policies), and more.

Published by the Daily Journal, you can read the column here.

 

About JMBM’s JMBM’s Cybersecurity & Privacy Group
JMBM’s Cybersecurity & Privacy Group counsels clients in a wide variety of industries, including retail, aerospace, health care, utilities, sports, media, and professional services such as accounting firms, law firms, business management firms and family offices. We represent clients in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity & Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

About the Daily Journal
The Daily Journal is California’s largest legal newspaper. Published daily, it includes breaking news and exclusive coverage of California legal affairs, California law firm news, updates on business transactions, and special reports throughout the year.

Robert E. Braun and Michael A. Gold are co-chairs of the Cybersecurity & Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP.

Contact Bob Braun at RBraun@jmbm.com or +1 310.785.5331.
Contact Mike Gold at MGold@jmbm.com or +1 310.201.3529.

JMBM’s Cybersecurity & Privacy Group is pleased to announce that the Group’s Co-Chair, Michael A. Gold, will be participating as a panelist for the webinar Bristows Legally Speaking! Data protection and information security in EU, India and California – what next?

Sponsored by the London-based law firm Bristows, the webinar is open to C-suite executives, Chief IT officers, in-house counsel, and others whose companies are doing business in California, Britain, the EU, or India.

Date: Tuesday, October 30, 2018
Time: 9:00 AM – 10:00 AM Pacific

No registration fee is required. Register here.

Panelists include:

Robert Bond, Partner and Notary Public at Bristows LLP, London
Salman Waris, Partner at TechLegis Advocates & Solicitors, Delhi
Michael Gold, Partner at Jeffer Mangels Butler & Mitchell LLP, Los Angeles

Topics that will be explored include:

  • Draft data protection law in India
  • California data privacy laws explained
  • Overview of US privacy laws
  • Comparisons with EU laws
  • What else is on the global horizon for data protection?

We invite you to join us for this informative webinar. Register now!

Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss Impact of international privacy laws on U.S. companies. The other videos in this 4-part series include: Why companies need a cybersecurity training program; First steps to take when there’s a data breach at your company; and Cybersecurity for middle market companies.
Continue reading

The Safe Harbor

For 15 years, the Safe Harbor Framework has provided a way for U.S. companies to comply with the EU Data Protection Directive.  Under the directive, transfers of personal data from the EU to a non-EU country are prohibited unless the receiving country can assure an adequate level of protection for the data.  While a number of countries do comply – among them Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay – the United States does not.  The Safe Harbor Framework was developed by the United States Department of Commerce and the European Commission as a mechanism to address the EU law’s adequacy standard. U.S. businesses voluntarily participate in the Framework and thereby comply with its terms.
Continue reading