It's important to distinguish that it wasn't actually Marriott that had the data breach. It was starwoods resorts, now a marriott owned entity, but at the time of the breach it was not a marriott property. Marriott is being attributed to the guilty party b/c they now own starwood, but Marriott's systems were never breached, so marriott should keep doing what they are doing (presumably) and transition all the starwood systems over to the more secure marriott systems (which I believe they already said they are doing).
That being said, between the recent Google+ breaches, to the older Target breaches, it increasingly feels like I'm flipping a coin when I trust companies with data.
Based on Marriott's handling of this breach, they seem to be decent at security. But I don't know how as a consumer I could tell that in advance of all of this.
M&A is a culprit in no small number of these cases, so let's be crystal clear: M&A does not absolve anyone of responsibility. Let me know when the underwriting bankers have their bonuses garnished for lack of due diligence, and then you can tell me about how "it wasn't actually Marriott that had the data breach". Let's say it loudly and clearly: no, it was Marriott that had the data breach.
So I don't actually feel a ton of ill will to them, even though I agree that doesn't absolve them of the fact that they bought it, and it is now very much their problem to deal with. It may not be your fault that the puppy that you bought isn't house trained, but I'm still not going to clean your carpet for you.
Having said that, this kind of underscores what I was talking about above. If Marriott themselves couldn't tell in advance that the company they were buying was an insecure liability, how the heck am I supposed to be able to tell?
If it's not feasible for a company like Marriott or Verizon to know in advance of an acquisition which companies are secure and which companies aren't, consumers have no chance. There's no feasible way for a consumer to protect themselves in that world.
Strongly disagree, this is playing with variables.
Marriott2016 + Starwood2016 = Marriott2017.
Marriott, the present day company, absolutely includes the company that had the "control or agency to stop it".
> it would have just meant the breach was someone else's problem
This isn't a wash. Tort is only effective if the party responsible gets punished, so it's very important which party gets punished. If Marriott had discovered the breach in due diligence, the Starwood investors' payout would have taken a big hit.
As it happens, there's two behaviors that need to be disincentivized: Starwood designed faulty systems, and pawned off its ramshackle legacy crap to the highest bidder; and Marriott2016 (much like Equifax) glommed together so many legacy systems that the likelihood of breach intensified (though to Marriott's credit, the attack doesn't seem to have escalated out of the former Starwood into the parent systems. I'd still like to see steep fines imposed, but way smaller than on Equifax, proportional to that contained scope).
The penalty on Marriott2017 should be steep enough to encourage future buyers to step up their due diligence enough to put the acquiree's payout at risk, while also rewarding Marriott for catching the leak before escalation.
> It may not be your fault that the puppy that you bought isn't house trained, but I'm still not going to clean your carpet for you.
I like your analogy a lot.
Got close to pushing them to a centralized database (instead of the per-property Access database), but left before we could finalize that project. Ugh, and the reports I had to design... they wanted smaller than 7 point font on legal paper that would then be faxed. Every property would fax quarterly reports generated by my software for board review.
Interesting times.
