Senators call for data security law in wake of Marriott breach

They want federal legislation to protect consumers and hold companies accountable.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
3 min read
Treasury Secretary Mnuchin Delivers Financial Stability Report To Senate Committee

Sen. Mark Warner is one of several lawmakers pushing for federal cyber security legislation.

Pete Marovich / Getty Images

Just hours after Marriott announced a massive data breach, lawmakers on Capitol Hill called on Congress to pass data privacy and security protections to safeguard sensitive consumer information.  

The hotel group revealed Friday that hackers had compromised the guest reservation database for its Starwood division. The hack affected as many as 500 million guests who had made reservations at its Sheraton, W Hotels, Westin, Le Meridien, Four Points by Sheraton, Aloft and St. Regis branded hotels up until Sept. 10 of this year.

Lawmakers in Washington responded almost immediately by calling for federal legislation to protect consumer data and to hold companies accountable for how they handle their customers' personal data.

Sen. Mark Warner, who is vice chair of the Senate Intelligence Committee and co-founder of the Cybersecurity Caucus, said such mega-breaches have become way too common, and he cautioned the public and their elected officials against accepting the trend as the new normal.

The Democrat from Virginia urged Congress to take action.

"We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need," he said in a statement. "And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses."

At least two other Democrats, Sens. Ed Markey, of Massachusetts and Richard Blumenthal of Connecticut, echoed these sentiments.

"Checking in to a hotel should not mean checking out of privacy and security protections," Markey said. He called on Congress to pass a consumer privacy and data security law that would require companies to "adhere to strong data security standards" and ensures they "only collect the data they actually need to service their customer."

Blumenthal, who criticized the Federal Trade Commission during an oversight hearing last week for not doing enough to stop such data breaches, also said that Congress needs to step in. And he criticized Marriott for not taking seriously the threat of such an attack.

"Marriott's failure to prevent the theft of private data has placed hundreds of millions of customers at significant personal and financial risk," he said. "The apparent failure to detect and remove hackers from its systems for four years calls into question whether Marriott took the security and privacy of its customers seriously."

Marriott is just the latest in a long and growing list of companies to announce that personal data they had collected on their customers' has been stolen. Last month, Hong Kong airline Cathay Pacific announced a data breach affecting 9.4 million customers. In September, Facebook revealed that data for 50 million of its users had been put at risk. This also comes a year after the massive breach at the credit reporting agency Equifax in which hackers stole personal information for 147.7 million Americans.

Lawmakers say it's time for companies to take more responsibility for how they handle consumer data. And they're pushing to do something about it. Earlier this month, Sen. Ron Wyden, a Democrat from Oregon, introduced the Consumer Data Protection Act, which, among other things, would threaten CEOs with possible jail time if they're found to have lied about their data protection efforts.

Marriott's hack put at risk personal information such as credit numbers, names, mailing addresses, phone numbers, email addresses, passport numbers and other personal data. Even though credit card numbers were encrypted, Marriott said it couldn't be sure that the thieves are not able to decrypt the data. The company provided more information about the hack on its website.

"We fell short of what our guests deserve and what we expect of ourselves," said Arne Sorenson, Marriott's president and CEO, in a release. "We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

Firefox warning: It'll let you know if the website you're visiting suffered a data breach.

Facebook breach: A vulnerability put the data of 50 million users at risk