The U.S. Securities and Exchange Commission (SEC) is responsible for overseeing the rules and regulations regarding the financial markets and securities world. When a corporation is found to have engaged in fraudulent activities, the SEC can open an investigation and take action against the violating company.
Recently, Marriott International, a hotel corporation with offices located around the world, announced a data breach in their reservation system that could have exposed the personal information of approximately 500 million individuals over the past four years.
Below, we discuss the Marriott hacking scandal in further details, and we explore whether Marriott was in violation of the SEC’s cybersecurity disclosure standards.
In 2016, Marriott International acquired Starwood as one of its subsidiary hotels. Then, in September 2018, one of Marriott’s internal security tools discovered a possible breach in the U.S. guest database.
Once Marriott discovered that guest information may have been compromised, they opened an investigation to determine the details of the breach and what information had been stolen.
Their investigation uncovered that a hacker copied guest information from the database and encrypted it. From there, Marriott worked diligently to decrypt the information and find out which guest information had been stolen.
The question of whether Marriott violated the SEC’s cybersecurity disclosure standards comes into play when the company failed to mention the data breach when it filed its recent quarterly report to the SEC—only described certain cyber risk factors that Marriott might be facing.
Currently, there is no specific law that requires corporations to disclose these types of hacking incidents. As such, Marriott did not violate the cybersecurity disclosure standards as they are currently written. However, that doesn’t mean that companies shouldn’t be obligated to disclose these hacks and cybersecurity risks.
Failure to report and inform these breaches in data puts guests and investors at risk, particularly if the corporation provides false or misleading information to investors and the public.
Marriott can be further scrutinized due to the fact that the data breach in question was found to have been ongoing within Starwood since 2014, but was not discovered until two years after Marriott acquired its subsidiary.
The SEC is likely to make their standards for cybersecurity disclosures more clear, as the vague nature of the guidelines opens the door for other corporations who have been hacked or face cybersecurity breaches to not disclose these breaches to their investors and impacted consumers.
As can be seen, the cybersecurity disclosure standards of the SEC are a cause for concern, and if you believe that you have information regarding a possible violation of these standards, you can work with an SEC whistleblower lawyer at Meissner Associates to report your tip and possibly win a reward for your efforts.
You can schedule your confidential tip assessment today by giving our office a call at 1-866-764-3100 or by completing the secure contact form we have provided at the bottom of this page.