If Beacon Hill lawmakers needed a prod to finish the year by passing a major piece of consumer protection legislation, they got it from the friendly folks at Marriott International.
On Friday, the hotel chain revealed that hackers had slipped into its Starwood reservation system and stolen the personal information of as many as 500 million guests.
The breach, which began in 2015, lasted until this September and affected visitors to all of the chain’s Starwood properties: Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Meridien, Tribute, Design Hotels, Element and the Luxury Collection. The thieves gained access to the names, addresses, phone numbers, birth dates, email addresses and encrypted credit card data of the hotels’ guests. In some cases, the hackers were able to grab travel histories and passport numbers.
It was a stunning theft, second only to the massive Yahoo breach in 2013 and outpacing highly publicized episodes involving Target and Equifax.
“On a scale of 1 to 10 and up, this is one of those No. 10-size breaches,” Chris Wysopal, chief technology officer of the security company Veracode, told The Associated Press. “There have been only a few of them of this scale and scope in the last decade.”
Congress has been grappling with the issue in recent years, and there’s been much posturing but little real action. The one notable exception was the passing of legislation letting consumers place or lift a freeze on their credit for free; previously credit bureaus were allowed to charge users for the privilege.
After the Marriott hack was revealed, Virginia Democrat Mark Warner, a member of the Senate’s Cybersecurity Caucus, said the U.S. needs laws that limit how much data companies can mine from theircustomers. The cost of that effort, he said, should be borne by business, instead of forcing consumers to “shoulder the burden and harms resulting from these lapses.”
Congress is really the only authority with real leverage to bring about widespread change — by stopping the warehousing of data, putting more rigorous requirements on how personal data are protected, more closely controlling the activities of the credit bureaus (for instance, why isn’t a credit “freeze” the default setting, which someone has to lift each and every time their credit is reported?), or all of the above.
The pace of reform has been slow. Given the devastating effects of identity theft, consumers don’t have time to wait for Congress to get its act together. Increasingly, the states are stepping forward. Earlier this year, California passed sweeping legislation aimed at protecting the data of its citizens. Massachusetts has the opportunity to follow suit, in a more modest way, if its lawmakers act before the end of the year.
A bill aimed at protecting consumers from data breaches passed both the House and Senate earlier this year but has languished for months after Gov. Charlie Baker sent it back with some sensible suggestions for amendments.
The measure would require that companies seek permission from consumers before using or obtaining their credit reports, and it provides for free credit monitoring for anyone affected by a data breach.
“It puts consumers back in the driving seat of their own credit, and I think that’s really important,” state Rep. Jennifer Benson, a Lunenberg Democrat. “There are so many pieces of our identity out there in the public realm that we lose control over, and this is regaining some of that control.”
The legislation, championed in the Senate by Barbara L’Italien, chair of the Consumer Protection Committee, seemed set to be enacted earlier this year before Baker offered his suggested amendments.
Benson called those changes, which would help state workers continue to ensure child support and protect the credit history of minors under state care, “smart.”
“I think it’s something that definitely needed to be addressed,” she said. An updated version of the bill, taking Baker’s suggestions into account, moved forward, at least procedurally, in the House last Thursday — the day before the Marriott date breach became public.
“We have worked hard to ensure that consumers have access to resources needed after a breach occurs, while making sure the commonwealth is in step with federal security data regulations,” state Rep. Tackey Chan, the House chair of the Consumer Protection Committee, said last week.
Now it is incumbent on the rest of the state’s lawmakers, House and Senate alike, to get the legislation passed before the end of the year. Their constituents deserve nothing less.