Robert Bond (robert.bond@bristows.com) is Partner & Notary Public at Bristows LLP in London, UK.
As we continue to experience data breaches, whether of personal or nonpersonal data, organizations need to recognize that they have more to fear from class actions than they do from regulatory investigations. Both, of course, are damaging to brand and reputation, but the rise in negligence claims in both the US and the EU should be a wake-up call to C-suite executives.
Recently, a class-action style lawsuit has been filed in the United Kingdom against Marriott International over the huge data breach affecting personal data of around 500 million hotel guests, including 30 million data subjects in the European Union between 2014 and 2018.[1] As part of the claim, it is alleged that Marriott (or rather Starwood, which it acquired without suitable due diligence) failed to take adequate technical and organizational measures to keep personal data secure. As such, Marriott failed to comply with requirements of European Union data protection law, let alone general obligations of security and confidentiality. In essence, the lawsuit claims that Marriott was negligent.