Duty of Competency and Reported Marriott Data Breaches
Earlier this month multiple news stories reported that hackers had breached Marriott’s security and had stolen customer information. Marriott, or its acquired Starwood entity, may face claims and liability from customers whose data was taken (the data breach reportedly occurred in the Starwood Hotel system years before it was acquired by Marriott). In addition, Marriott and Starwood may face liability from the Federal Trade Commission which enforces federal privacy rules. n:\active\franchising\franchise book and articles - lagarias\more competency marriott.12.12.18.docx
An interesting derivative issue from this franchise hotel company data breach is the potential for harm to the franchise brand’s franchisees. Franchisees ordinarily have no control of the franchisors’ customer relation management (CRM), point of sale (POS) software, and databases. If the franchisor is negligent or reckless in selecting and managing such software, hardware and databases, those actions may also harm the franchisees. Namely, if customers stop coming to Marriott hotels due to a widely publicized data breach, the Marriott franchisees will suffer monetarily.
Courts generally address franchisors’ conduct vis-à-vis their franchisees through the lens of contractual rights and duties. Under such an analysis, any liability for a franchisor to its franchisees would likely rest upon breach of its contractual obligation to provide the trademarks. After all most franchise agreements, at their core, are trademark licenses. Why, however, shouldn’t Marriott be liable to franchisees for negligently performing its trademark related duties?
There is little case law on this question, and still fewer cases applying a tort negligence analysis rather than a contract analysis. But there should be recompense for franchisees as they can face substantial injury and damages due to their franchisors’ misconduct.
Of course if a negligence standard were applied that may not be the end of the inquiry. Published reports indicate that Chinese state hackers penetrated the Starwood computers. One might expect Marriott to contend in a negligence action that it used due care to protect its computer databases but was the victim of state sponsored misconduct.
Stay tuned as the development of the common law takes time.