Our lawyers are thinkers as well as doers—and have published numerous informative and insightful articles on topics related to their respective practices and our clients’ industries. Read what our people have to say about what’s important to you.


Preparing, Adapting and Responding to Cyber Incidents: Marriott International Case Study

Cybersecurity is an issue that every company, of every size, must address as part of standard risk identification. The perception that the size of your company will protect you from a potential cyber attack is no longer realistic. In this case study, Spencer S. Pollock, Esq., CIPP/US, and Roger Hockenberry, CEO, Cognitio Corporation, discuss a recent data breach and lessons that may be learned for a company of any size operating anywhere in the world.

Recently, Marriott International’s reservation database was hacked and during the breach personally identifiable information (“PII”) from approximately 500 million people was stolen.[1] Marriott generates nearly $22 billion in revenue, and spends large sums on cyber defense and could not stop the breach from happening.[2] Due to the breach, Marriott is now facing a multi-million-dollar class action lawsuit where the Plaintiffs allege that Marriott failed to identify and notify the individuals affected by the breach that began in 2014.[3] What does the Marriott data breach demonstrate? That no matter the size of your company, or how much you spend on information systems security, a cyber incident may eventually occur.

While your company might not be as large as Marriott, hackers are equal opportunity criminals who do not discriminate by the size or revenue of a company. In fact, 58% of data breaches in the last year occurred within small to midsized companies.[4] If you are the owner or chief executive officer of a small to midsized business, consider the PII your company collects, analyzes, and stores from customers, vendors and partners. Now consider the reputational, financial, and legal effects of this information being stolen. The average cost of a breach for a small to mid-sized business is $149,000.00.[5] After a breach, six out of ten small to mid-sized companies go out of business.[6] Finally, consider the legal ramifications of a myriad of data protection and privacy laws affecting your company. Despite these statistics, there are steps you can take to mitigate the potential effects of a breach. Specifically, your company needs to follow this process: prepare, adapt, and respond.


The most time consuming and the labor-intensive step is ensuring your leadership takes the appropriate actions to prepare your company to tackle the variety of data protection and privacy threats. Every company should develop a strong data strategy that looks at how data is utilized, exits and enters, is protected and eventually distributed to various users of that data. Most companies fail to realize that data is now currency, and identifying risk is essential to the long-term health and viability of your business.

First, examine what PII, or other sensitive data your business collects, analyzes, and stores, and why. Decide if it is necessary to continue collecting PII and if it is, ensure you do not collect more information than is needed. Second, determine how your company protects PII and implement simple and affordable measures to better safeguard this information:

  • Educate and train your employees on data security best practices;
  • Ensure physical documents containing PII are in secure locations;
  • Keep your servers in a location that is locked;
  • Don’t save information on your hard drive. Use a cloud-based service (i.e., Dropbox, iCloud, Google, etc.) and ensure that appropriate encryption and protection is utilized;
  • Enable a two-factor authentication when an employee accesses their workstation;
  • Have a policy that requires employees to change their password periodically; and
  • Limit the ability to obtain the information to essential personnel only. 

Third, identify which laws, regulations, and statutes control and dictate compliance for your company. Every state has data protection and privacy laws. There are specific laws in place governing specific kinds of personally identifiable information (i.e., HIPAA, GLBA, COPPA, TCPA, etc.). While compliance is not equal to security in the cyber world, maintaining consistency with guidelines is now table stakes to basic security in the enterprise.

Fourth, have your IT department or an external cybersecurity expert firm perform tests on your systems to determine and address any potential vulnerabilities.

Finally, create an incident response plan. Run table-top exercises against established scenarios so that you can quickly identify parties and leadership needed to analyze, triage, remediate and communicate about the issues, and the steps being taken to resolve the breach. Poor communication is typically the issue that leads to lawsuits and can lead to serious reputational damage.


After implementing the preparations, companies need to continue to adapt and evolve. Keep educating and training your employees periodically about data protection. Continue testing, monitoring, and assessing your system's vulnerabilities. Run a privacy impact assessment if you decide to change how you are collecting, using, and storing data. Keep your clients and employees appraised of any changes to your privacy policy and the effect it will have on their PII or other sensitive data.


Lastly, if there is a breach, the most important action is a proactive, decisive, and effective response. Do not ignore the problem. Confront the breach head-on to avoid exacerbating the consequences.

There is no mechanism to stop a sophisticated and determined hacker from gaining access to your databases. Marriott International is a recent multinational example. However, implementing measures to prepare for a breach, adapting and remaining vigilant to cybersecurity attacks, and responding to an intrusion proactively provides your company guidelines to best protect against these types of threats.

For more information regarding data privacy and protection laws, contact:

       Spencer P. Pollock, Esq., CIPP/US is an attorney at Niles, Barton & Wilmer, LLP, concentrating his practice in data security and privacy law, civil litigation, and insurance law. He is a Certified Information Privacy Professional (CIPP/US) who counsels and represents companies in navigating international, federal, and state privacy and data governance laws.

For more information regarding cybersecurity policies and best practices, contact:

       Roger Hockenberry is the CEO of Cognitio Corporation, a consulting and engineering firm specializing in cybersecurity and data strategy. Prior to founding Cognitio, Mr. Hockenberry was the Chief Technology Officer of the Directorate of Operations for the Central Intelligence Agency. His work in this role included creating cloud strategy, driving innovation through the enterprise, and creating unique mission solutions. Prior to the CIA, Mr. Hockenberry was a Managing Partner at Gartner, and worked at Sun Microsystems and Netscape Communications.


[3] See the Complaint filed in Vickie Vetter, et al. v. Marriott International, Inc.
[4] 2018 Verizon Data Breach Report
[5] On the Money: Growing IT Security Budgets to Protect Digital Transformation Initiatives”
Kapersky Lab
[6] 2017 State of Cybersecurity among small business in North America, Better Business Bureau

see all Business and Corporate Law articles »
see all Commercial Litigation articles »

Past Articles

Regulation Best Interest: Higher Standards for Broker-Dealers, Strengthened Protections for Investor

On June 5, 2019, the U.S. Securities and Exchange Commission (“SEC”) approved a new regulation…

read more »
When “Going Green” Isn’t Attractive – MD Court of Special Appeals Determines HOA Architectural Commi

The Maryland Court of Special Appeals provides helpful guidelines to homeowners and HOAs in addressing…

read more »
Regulation Best Interest: Higher Standards for Broker-Dealers, Strengthened Protections for Clients

In June, the Securities and Exchange Commission (“SEC”) adopted a new regulation, Regulation…

read more »
The Requirements and Impact of the Insurance Data Security Model Law

The National Association of Insurance Commissioners recommended that states pass the Insurance Data…

read more »
SEC Imposes New Requirements for Brokers and Advisers in Adoption of Regulation Best Interest

On June 5, 2019, the Securities and Exchange Commission (SEC) approved the Regulation Best Interest,…

read more »