January 27, 2023

Volume XIII, Number 27


January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

January 24, 2023

Subscribe to Latest Legal News and Analysis

Travel Giant Sabre Reaches Deal with State Attorneys General Over Data Breach

The travel giant Sabre Corp. has reached an agreement with multiple State Attorneys General to pay $2.4 million and make certain changes in its cybersecurity policies to settle a multi-state investigation into a 2017 data breach.  Between August 2016 and March 2017, a cybersecurity attack reported by Sabre allegedly compromised 1.3 million credit cards belonging to customers using Sabre’s online booking system.

The Attorneys General of the State of New York and twenty-six other states launched an investigation into Sabre’s 2017 security breach, alleging that Sabre’s cybersecurity measures were inadequate and that Sabre failed to adequately notify customers of the breach.  Sabre informed hotel customers of 

the data breach on June 6, 2017 and some customers were supposedly not notified until 2018.  The multi-state settlement agreement requires Sabre to:

  • make a $2.4 million payment to be divided among the various states affected

  • include clear language in future contracts with hotel customers describing the roles and responsibilities of the parties in the event of a data breach

  • determine whether Sabre provided timely and adequate notice of the breach to its customers and to provide the multi-state coalition with a list of all customers whom Sabre has notified of the breach

  • establish and maintain a comprehensive security policy, and written incident response and data breach notification plans, and

  • implement certain security requirements and undergo a third-party security assessment.

In response to the settlement, New York State Attorney General Letitia James said that “Sabre first failed its customers with a susceptible security system, then failed them when it came to provide proper notifications.”  Vermont State Attorney General T. J. Donovan, who led the coalition, similarly commented that “When a business relies on a vendor, it should be able to trust that the vendor will adequately protect its data, and if it does have a breach, respond appropriately.”

Putting it Into Practice:  The Sabre settlement highlights the increasing interest that state attorneys general have taken in companies’ cybersecurity practices, especially in the wake of a reported breach.  Companies would be well served as we start the year to reevaluate their current incident response and breach notice plans.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 4

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

James Fazio Intellectual Property Attorney Sheppard Mullin Law Firm
Special Counsel

James Fazio is special counsel in the Intellectual Property Practice Group in the firm's San Diego (Del Mar) office.

Areas of Practice

James focuses on intellectual property and business litigation. He represents public and private companies in disputes such as those involving patent and trademark infringement, theft of trade secrets, fraud, breach of contract, unfair competition, false advertising and various business tort claims. James has more than 24 years of litigation experience and was selected by his peers among the top ten intellectual property...