Strongly disagree, this is playing with variables.
Marriott2016 + Starwood2016 = Marriott2017.
Marriott, the present day company, absolutely includes the company that had the "control or agency to stop it".
> it would have just meant the breach was someone else's problem
This isn't a wash. Tort is only effective if the party responsible gets punished, so it's very important which party gets punished. If Marriott had discovered the breach in due diligence, the Starwood investors' payout would have taken a big hit.
As it happens, there's two behaviors that need to be disincentivized: Starwood designed faulty systems, and pawned off its ramshackle legacy crap to the highest bidder; and Marriott2016 (much like Equifax) glommed together so many legacy systems that the likelihood of breach intensified (though to Marriott's credit, the attack doesn't seem to have escalated out of the former Starwood into the parent systems. I'd still like to see steep fines imposed, but way smaller than on Equifax, proportional to that contained scope).
The penalty on Marriott2017 should be steep enough to encourage future buyers to step up their due diligence enough to put the acquiree's payout at risk, while also rewarding Marriott for catching the leak before escalation.
> It may not be your fault that the puppy that you bought isn't house trained, but I'm still not going to clean your carpet for you.
I like your analogy a lot.
