Marriott Vacation Club International (MVCI), the vacation ownership division and subsidiary of Marriott International Inc., had a nasty Christmas Eve surprise for 206,000 of its customers: a report that backup tapes had been lost containing sensitive personal data, including Social Security numbers, and bank and credit card numbers.
MVCI released a press release Dec. 27 reporting that the tapes had "disappeared" from the corporate office in Orlando Fla., -- in mid-November, according to some reports. The company said that the letter to affected customers and associates had only gone out Dec. 24 because they were first trying to find the tapes, and then conducting an investigation to figure out what data was on the lost cartridges.
According to an official statement on the company Web site, "MVCI will be reviewing its policies and practices around the storage of customer and associate data to ensure that sensitive data is only stored where absolutely essential." Kinney declined to give further details on what steps MVCI is considering to strengthen data security.
The company sent four separate letters to all its customers: one indicating the customer's credit card number was among the data lost on the tapes; one for Social Security numbers; one for bank account numbers; and one letter to unaffected customers. Customers whose data fell into multiple categories were sent multiple letters.
MVCI said it had also notified state and federal officials, credit card companies, credit reporting agencies and the U.S. Secret Service of the loss.
Finally, MVCI is offering free credit-report monitoring with Intersections Inc. The service includes a three-bureau credit report, and assistance reviewing the report and placing a fraud alert. The company had previously enrolled customers with identity theft insurance, and mentioned in its letter to impacted individuals that they were eligible for up to $2,500 in financial reimbursement, with a $250 deductible for certain expenses associated with identity theft.
A high-profile problem in 2005Data security, and the loss of tapes containing sensitive information, was a hot topic this past year, after a lengthy list of companies, including CitiFinancial, Bank of America Corp. (See Banks mull data security in wake of missing tapes, March 1 and Tape Caper: Users split on data security options, June 9).
In response to concerns about data security, legislation has been enacted in several states this year, including New York, Nevada and Texas, requiring disclosure of security breaches and hefty penalties for noncompliance. A nationwide version of the state regulations, the Specter-Leahy Act, is currently being debated in Congress. See also Privacy expert calls for action on Specter-Leahy bill, Dec. 12.
In the wake of security concerns, the industry has been pushing the encryption of data throughout its lifecycle, including tapes taken off site. Many security breach laws, such as the one passed in New York, provide an exemption for companies whose tapes are encrypted. Off-site storage vendors, such as Iron Mountain Inc., have also begun offering encryption services to customers.