Sign up for the newsletter here to make sure you never miss an edition.
The case of the City of Chicago v Marriott International lives to see another day after Judge Paul Grimm of the Maryland Southern Division District Court denied Marriott’s second motion for dismissal earlier this month. This case, which has been ongoing since 2018, is the first instance of a city suing a private company over a data breach. Let’s discuss what that could mean.
The Facts: Marriott International, the world’s largest hotel chain with over 30 hotels in the Chicago area alone, announced a massive data breach in November of 2018. Marriott revealed that hackers had access to the reservation database of a hotel company it acquired two years earlier from 2012 to the time of discovery two months earlier. In that time, an estimated 327 million guests had compromised personal information including full names, mailing addresses, credit card details, phone numbers, passport numbers, date of birth, arrival and departure information, communication preferences, and more. In addition to the privacy violation, the City of Chicago lost 23.5% in tax revenue because of the breach according to expert testimony.
The hack has been reported to be part of a Chinese cyber-espionage effort and was attributed by both the New York Times and the Washington Post based on code patterns, method of attack, and because the data never wound up for sale as it would typically if the breach was carried out by a non-state actor.
Legal Background: Chicago filed suit against Marriott International arguing that it had violated a municipal ordinance requiring it to protect Chicago residents’ personal information, failed to detect the data breach promptly, inadequately responded to the breach, and failed to implement reasonable safeguards that would have mitigated the situation. Chicago is suing on this basis acting in parens patriae under its state constitutional home-rule authority and as the city itself for lost revenue.
Marriott has filed motions for the case to be dismissed twice: once on the basis that the ordinance Chicago claims Marriott violated was unconstitutional and once arguing that Chicago had no standing to sue. Both of these motions to dismiss were denied as was a motion to exclude the city’s expert testimony demonstrating the loss in tax revenue from the data breach. Judge Grimm’s continued favor with the City of Chicago indicates that the trial will be seen through.
Relevance: Aside from the millions of dollars in fines from various class-action lawsuits, GDPR violations, and remedy cost (such as paying for passport replacements for impacted guests), Marriott also saw a significant dip in customer satisfaction in 2019. A study by an independent security organization found that almost 25% of customers stop doing business with hacked companies and more than 66% of people trust a company less after a breach.
Marriott survived this breach and will continue to operate even if the City of Chicago wins this court case. However, if Chicago wins, precedent will have been established for individual cities to go after private companies on behalf of its citizens, especially in states with similar home-rule authorities or state-wide data privacy laws that permit a private right to action.
States with home-rule authorities in their constitutions include:
- Illinois (limited)
- New Jersey
- New Mexico (limited)
- New York
- North Dakota
- Rhode Island
- South Dakota
- Tennessee (limited)
- Texas (limited)
- West Virginia
*Indicates that this state also has a private right to action for data breaches
Overall this case presents an alternative avenue for cities within states that do not have overarching data privacy laws but do have home-rule authorities to take action against private companies after a data breach. With the ongoing shift in attacks from ransomware to expanding further into data exfiltration, it only continues to increase the importance of shoring up cybersecurity defenses. Our experts here at Consortium Networks recommend Network Detection & Response (NDR), Network DLP, and Database Monitoring solutions as a start to combating these kinds of cyber attacks. Contact us to learn more.
In the News
This month, BitSight Security Research released a report diving into the vulnerabilities of Fortune 500 companies when it comes to credential abuse. BitSight found that 25% of these companies and half of the 20 most valuable public U.S. companies had single-sign on credentials for sale on the dark web. The 2022 Verizon Data Breach Investigations report found that stolen credentials account for nearly 50% of all cyber attacks, making them the most common attack vector. While there are many other ways to access a system, a focused attacker who can purchase credential information on the dark web presents a substantial risk to vulnerable companies.
The State of the Internet report from Censys was released this month and highlights the need for correctly configured networks as misconfigurations, they found, make up 60% of internet risks. This can include issues with encrypted services, weak or missing security controls, and self-signed certificates. The report found that 28% of risk is from information exposure, and 12% is from software vulnerabilities.
Industries that have seen the most cyber attack action this month are education, the travel industry (IHG, American Airlines), and healthcare. Various U.S. government affiliates have also been calling attention to the software supply chain, FinTech risks, and cryptocurrency. Industry experts voiced concern to government regulators in two areas this month: the private-public relationship and EPA water infrastructure mandates. Additionally, after industry experts objected to the original provision of funds for cybersecurity in the National Defense Authorization Act (NDAA), lawmakers are reworking budgetary proposals- pointing to a shift on the Hill towards a greater appreciation for industry expertise and advice within cybersecurity.
Iran has been in the news seemingly endlessly this month from the diplomatic fallout with Albania over an Iranian cyberattack and U.S. economic response to the OpenHands photo leak to the discovery of APT42 and indictment of APT35. Additionally, researchers at Proofpoint found that Charming Kitten (APT35… for the most part) is utilizing social engineering techniques to support increasingly successful phishing campaigns. These techniques are incredibly time consuming (in some cases, Proofpoint reports, researchers would spend weeks emailing a single target) but are 10x more successful in getting a target to click on a link.
Meta and Google faced a number of high-profile fines this month from both Ireland and South Korea. The Irish Data Protection Commission fined Instagram $401 million for violating the GDPR while South Korea fined Meta $50 million and Google $22 million for privacy law violations in the country. The Denmark Data Protection Agency ruled this month that Google Analytics is not compliant with the GDPR and will either need to be adjusted for increased privacy or not used within the country at all. Denmark is the 4th EU member-state to rule against Google Analytics.
Policy and Politics
Various offices throughout the U.S. government have taken steps this month in the cybersecurity space. The White House itself published a list of six principles to guide future tech reform legislation including reforms aimed at tech competition, algorithm discrimination, algorithm transparency, online privacy, social platform safety, and changes to Section 230 (the codified protection for online social media platforms against being treated as a publisher). The NSA published requirements for quantum-resistant algorithms for national security systems, CISA put out a request for public comments for cybersecurity incident reporting rules, and the NSA, CISA, and ODNI released a joint report on software supply chain guidance. DHS announced $1 billion in funding for state and local government, including school board, cybersecurity programs as part of the Bipartisan Infrastructure Bill with applications for grants due November 15, 2022. CISA published its 2023-2025 strategic plan which focuses on enhancing defensive capabilities, reducing risk to critical infrastructure, increasing private-public collaboration, and unifying CISA’s capabilities. It also floated a potential partnership with universities for a cybersecurity hotline that would have cybersecurity students staff the 311 cyberattack triage service.
In Congress, Rep. Jason Crow introduced the Healthcare Cybersecurity Act (H.R.8806) that would require CISA to take action to improve the healthcare and public health sectors in collaboration with HHS. Sen. Gary Peters introduced the Securing Open Source Software Act to establish CISA’s role regarding open source software security.
The United Kingdom is preparing to impose stricter security requirements and noncompliance penalties on telecommunications companies including requirements of patching flaws within 14 days of discovery, strict government oversight of cybersecurity processes, and strict administrative privilege controls.
The European Union’s newly revealed Cyber Resilience Act will require Internet of Things product vendors to regularly test devices for vulnerabilities, inform authorities and consumers of cyber incidents, provide quick-fixes and security updates for the product’s full life span, and ensure data confidentiality. The European Court of Justice ruled this month that Germany’s data retention policy under the Telecommunications Act that requires service providers to store customer data for 4-10 weeks and make it available for law enforcement.
In Asia, the Indonesian parliament passed a personal data protection bill that includes fines and up to 6 years of imprisonment for the mishandling of data. China’s internet watchdog proposed harsher fines for cyber offenses of up to 50x the current ceiling as a way of boosting cybersecurity throughout the country. Finally, Russia enacted amendments this month into its personal data law that expands the law to include extraterritorial effects, enhanced cross-border data transfer restrictions, and mandatory data breach notifications.
Last month, Consortium Networks attended Fal.Con in Las Vegas, InfoSec World in Orlando, and the Cybersecurity Summit in Charlotte. We loved getting to meet and catch up with our fantastic network across the country!
Mark your Calendars
October 6: Hacks and Hops, Minneapolis, Link
October 12: IIoT World ICS Cybersecurity Day, Virtual, Link
Crowdstrike Adversary Universe World Tour
- October 12: DC, Link
- October 19: Los Angeles, Link
- October 20: Boston, Link
- October 27: Seattle, Link
October 12-13: Rochester Security Summit, Link
October 12-13: DTX Europe, London, Link
October 13: Secure CISO Atlanta, Link
October 13-14: GrrCON, Grand Rapids, Link
October 13-14: SANS Cyber Solutions Fest, Virtual, Link
The Official Cybersecurity Summit
Your Cyber Concierge: Our team is ready to help you find solutions for all of your cybersecurity needs. From Endpoint Detection and Response to Multifactor Authentication to Threat Hunting, we will work with you to find the best solution for your organization and your specific budget, needs, and goals.
Cybersecurity Assessments: Trust our team to quickly and consistently measure your controls against the NIST Cybersecurity Framework, including coverage against each specific domain and sub-domain, maturity of implementation, and provide actionable, prioritized recommendations. Our assessment will satisfy common compliance and regulatory requirements related to regular cybersecurity risk assessments.
Incident Response Planning, Playbook Development, and Tabletop Exercises: To be effective, incident response planning must be relevant to the core functions of your organization. By developing documents to guide actions in a time of crisis, and testing those approaches regularly, your organization will be maximally prepared to minimize the operational impact of a cyber event. Contact Consortium Networks for more information.
Cybersecurity Policy Development, Review, and Refresh: The threat landscape is constantly evolving. So, too, are regulatory and compliance requirements, as well as expectations from clients and third parties. Cybersecurity policies need to anticipate future threats and be kept up to date with accepted best practices while at the same time balancing ease of understanding and implementation. Let us take care of this process for you.
Request for Proposals (RFP) and Procurement Advisory: The requirements set forth in an RFP will determine not only the breadth and depth of potential responses but will also shape all future interactions on the topic with the responding parties such as contract negotiation, payment terms, deliverables, and acceptance criteria. The RFP sets expectations for both parties and outlines avenues available to hold each accountable. Avoid frustrating and costly amendments by making sure your organization has appropriately scoped your RFP from the start.
Any questions? Contact our policy analyst for more information on how events this month may impact your organization by emailing email@example.com