Notepad: Risk in Review – January/February 2019

Morgan O'Rourke


February 1, 2019

Marriott Breach Exposes 383 Million Records

marriott data breachHotel chain Marriott International revealed in November that a massive breach of its ­Starwood guest reservation database exposed the personal information of as many as 383 million customers. In an attack that dated back to 2014, hackers reportedly gained access to names, addresses, phone numbers, dates of birth, email addresses, and a variety of travel and customer reference data. More than 25 million passport numbers (5.25 million of which were unencrypted) and 8.6 million encrypted credit and debit card numbers were also accessed. Investigators suspect that the breach was part of an intelligence-gathering effort by the Chinese government. Early estimates by AIR Worldwide predicted that direct losses from the incident will cost the company between $200 million and $600 million. This figure includes first- and third-party losses directly related to the breach, ­including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call center, and any liability covered under an affirmative cyber policy. Notably, the estimate did not include business interruption, reputation damage or regulatory fines, which, for GDPR violations alone, could amount as much as $915 million (based on a maximum penalty of 4% of Marriott’s $22.89 billion in revenue for 2017). At least two separate federal class action lawsuits have been filed against Marriott by past hotel guests for failing to adequately protect their data and not providing proper notice once the breach was discovered.

Fatal Workplace Injury Numbers Show Modest Decline

The U.S. Department of Labor reported that there were 5,147 fatal workplace injuries in 2017, a slight decrease from the 5,190 fatal injuries reported in 2016. The fatal injury rate decreased to 3.5 per 100,000 full-time equivalent workers from 3.6 in 2016. Transportation incidents were the most frequent fatal event, accounting for 2,077 deaths, while the 887 fatal falls reported were the most in the 26 years that data has been collected. Violence and other injuries by persons or animals, contact with objects and equipment, and exposure to harmful substances or environments were also at the top of the list. Unintentional overdoses due to the non-medical use of drugs or alcohol while at work increased by 25% from 217 in 2016 to 272 in 2017, marking the fifth consecutive year overdose deaths increased by at least 25%. The most dangerous occupations were fishing and logging, which experienced fatal work injury rates of 99.8 and 84.3 deaths per 100,000 full-time equivalent workers, respectively. Truck drivers suffered the largest number of fatal injuries, however, with 840.

Copyrights Expire After 20-Year Reprieve

copyrights expireOn Jan. 1, the copyrights expired for tens of thousands of works released in 1923, including classic films, plays, songs and books from the likes of Charlie Chaplin, Cecil B. DeMille, George Gershwin, Louis Armstrong, E.E. Cummings and Agatha Christie. These works are now in the public domain, which means that anyone can broadcast, republish, distribute or remix them without first having to seek permission or pay any royalties to the original rights holder. This was the first set of creative works to enter the public domain since the Copyright Term Extension Act was passed in 1998, which extended the length of a copyright from 75 years to 95 years, or from 50 years after the author’s death to 70 years. At the time, the stated intention of the law was to protect the economic interests of the entertainment industry, but some critics  nicknamed it the “Mickey Mouse Protection Act” due to Disney’s extensive lobbying efforts on its behalf. Disney’s copyright on Mickey Mouse, who first appeared in the 1928 animated short film Steamboat Willie, is scheduled to expire on Jan. 1, 2024.

Fiat Chrysler Reaches Settlement Over Diesel Emissions Violations

The U.S. Department of Justice announced that Fiat Chrysler agreed to pay $305 million to settle allegations that it used illegal software on 104,000 diesel-powered Dodge Rams and Jeep Grand Cherokees to cheat on emissions tests in violation of the Clean Air Act, as well as another $6 million for the illegal import of 1,700 noncompliant vehicles. The company also agreed to implement a recall and repair program to fix the affected vehicles, offer extended warranties on the repaired vehicles, and take steps to mitigate excess pollution from these vehicles, which could add another $185 million in costs. In addition, Fiat Chrysler will pay $19 million to California to settle similar state regulatory violations. In a separate announcement, the automaker also agreed to pay $280 million to settle a lawsuit brought by vehicle owners. The case mirrors the 2017 emissions cheating scandal that cost Volkswagen up to $30 billion in regulatory fines, legal costs, and vehicle buybacks and repairs.

NFIP Extended Through May

national flood insurance program extendedIn December, hours before the U.S. federal government shutdown, the National Flood Insurance Program (NFIP) received yet another short-term extension, this time through May 31. The NFIP currently has more than five million policies in force in the United States and collects more than $3 billion in premiums every year, but many critics believe that substantial reforms are necessary as part of a long-term solution. As it is currently structured, the program has an estimated annual operating loss of $1.4 billion and is more than $20 billion in debt. Data for 2018 losses is not yet available, but for 2017, more than 95,000 NFIP claims were filed, totaling over $8.7 billion, making it one of the most costly years in the program’s history.

Morgan O’Rourke is editor in chief of Risk Management and director of publications for the Risk & Insurance Management Society, Inc. (RIMS)