Marriott data breach: Rhode Island small business owners, watch out!
Last week, international hotel chain Marriott revealed that sensitive data belonging to about 500,000,000 (or half a billion) of its customers was breached, likely stolen by hackers. According to news publications regarding the breach (which has already been covered extensively by the Washington Post, CNN, and USA Today among other outlets) the vulnerability has existed since at least 2014, and the hackers were able to access information ranging from the basic, such as names and addresses, to far more sensitive information including passport numbers and detailed travel plans of Marriott guests.
This is a good opportunity for all Rhode Island small business owners to reevaluate—or, for many, to consider for the first time—their data retention policies, data security systems, and data breach insurance. In 2015, Rhode Island’s General Assembly passed laws (codified at G.L. 1956 § 11-49.3-1, et seq.) which provide, among other things, for huge civil penalties in the face of a data breach.
On the same morning the news broke of the Marriott breach, Rhode Island’s outgoing Attorney General, Peter Kilmartin—whose two terms as Attorney General will, in my opinion, be remembered for his outstanding consumer protection work—published an alert notifying Rhode Islanders of the breach and the ways Rhode Island citizens can protect ourselves from any ill effects like identity theft. Although his publication did not explicitly mention the penalties to which Marriott may be subject under Rhode Island’s data breach laws, those penalties can be onerous: so large, in fact, that a Rhode Island small business without the proper measures in place could be forced into bankruptcy in the face of a data breach.
Consider this: Rhode Island’s data breach laws, collectively called the “Rhode Island Identity Theft Protection Act of 2015,” provide for a $100 civil penalty if the breach was “reckless.” The penalty doubles to $200 if the breach was “knowing and willful.” If you’re a small business owner, this may not sound like much—until you consider the fact that these penalties are imposed on a per-record basis! In other words, even if we assume that only one out of every one thousand people affected by this breach are Rhode Island residents, Marriott is looking at a civil penalty of about $50,000,000—or $100,000,000 if the breach was “knowing and willful.” Yes, you read that right: FIFTY MILLION or, possibly, ONE HUNDRED MILLION DOLLARS. And, bear this in mind: that number only pertains to Rhode Island’s laws. Most states have similar laws in place.
If you own or operate a Rhode Island small business, or even a small business outside Rhode Island which stores data pertaining to Rhode Island residents, now is the time to make sure you are protected by adequate security systems and insurance should your customers’ records be breached. The Law Office of Rob D’Alfonso can help your small business design policies, implement systems, and find the right data-breach insurance policies which can protect against these potentially-crippling civil penalties. Contact us for more information.