Another big data breach has made the news, this time from Starwood Hotels and Resorts Worldwide (a subsidiary of Marriott International) in what might be the largest data breach in history. The legal and reputation fallout is likely to be massive. As a clearer picture of the damage emerges, Starwood's various online privacy statements and clickthrough terms and conditions will incisively scrutinized — as it will be here. Did Starwood follow clickthrough best practices, or did they render their terms meaningless?
First, a quick recap of what we know so far:
- Starwood Hotels and Resorts announced on November 30 that data contained in its guest reservation database was compromised.
- The breach potentially affected up to 500 million guests.
- The company determined that hackers had unauthorized access to its database dating back to 2014.
- According to the company, hackers copied and encrypted guest information and then “took steps towards removing it.”
- For roughly 327 million of those guests affected, the stolen data likely included their name, mailing address, phone number, email address, passport number, Starwood account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.
- Payment information was also compromised for many of those affected.
The fallout is already here. Multiple billion dollar class action lawsuits have already been filed. GDPR fines are likely, and those could approach the billions on their own.
Will Starwood's legal terms minimize its liability?
Starwood has a massive online footprint. With at least 30 different brands, online reservation options, reward plans, and more, there are likely hundreds (if not thousands) of ways to provide data to Starwood online and purportedly accept various privacy statements and clickthrough legal terms and conditions. We'll dissect the contents of those clickthrough legal terms in a subsequent post, but it's reasonable to assume that they are full of legal terms that Starwood will attempt to rely on in order to minimize its liability resulting from the data breach. It's critical to determine whether those clickthrough terms are enforceable in the first place.
PactSafe's analysis of Starwood's publicly accessible clickthroughs
For this post, we looked at two of Starwood's clickthrough acceptance points. Unfortunately, if they represent the level of attention given to clickthrough terms and policies across their digital ecosystem, Starwood is going to have some serious problems trying to rely on them.
Example #1: Starwood clickthrough acceptance
The first clickthrough we looked at can be found here. On this form there is a “Continue” button, and below that are links to a “Privacy Center” and “Terms and Conditions.” Unfortunately, there is no clear statement anywhere to put someone on actual notice that by clicking “Continue” they are accepting the “Privacy Center” and the “Terms and Conditions.” Without actual notice, Starwood would be left to rely on “constructive notice.” This never works (just ask Zappos).
Example #2: Starwood clickthrough acceptance
Conclusion: issues and questions will be raised in court
While this is admittedly only a small sample size out of Starwood's entire footprint of clickthrough agreements, two conclusions can be made:
- It's likely these potential issues exist across most of their clickthrough agreements.
- The items presented here are indications of other, latent issues that could also become problems.
When there is a lack of attention to clickthrough design and presentation, there is typically also a lack of attention as to how the underlying policies and content are tracked and managed. In turn, this creates additional enforceability challenges and raises more questions: Has Starwood tracked versions over time? Does it have readily produced, admissible records of which customers accepted what terms and policies? All of these issues and questions will undoubtedly be raised in court.
For further information
- Data breach information site set up by Starwood
- Marriott International press release
- CBS News story on lawsuit filings
Don't let a data breach catch you unprepared. PactSafe can help. Talk to us today.