The travel giant Sabre Corp. has reached an agreement with multiple State Attorneys General to pay $2.4 million and make certain changes in its cybersecurity policies to settle a multi-state investigation into a 2017 data breach. Between August 2016 and March 2017, a cybersecurity attack reported by Sabre allegedly compromised 1.3 million credit cards belonging to customers using Sabre’s online booking system.
The Attorneys General of the State of New York and twenty-six other states launched an investigation into Sabre’s 2017 security breach, alleging that Sabre’s cybersecurity measures were inadequate and that Sabre failed to adequately notify customers of the breach. Sabre informed hotel customers of
the data breach on June 6, 2017 and some customers were supposedly not notified until 2018. The multi-state settlement agreement requires Sabre to:
make a $2.4 million payment to be divided among the various states affected
include clear language in future contracts with hotel customers describing the roles and responsibilities of the parties in the event of a data breach
determine whether Sabre provided timely and adequate notice of the breach to its customers and to provide the multi-state coalition with a list of all customers whom Sabre has notified of the breach
establish and maintain a comprehensive security policy, and written incident response and data breach notification plans, and
implement certain security requirements and undergo a third-party security assessment.
In response to the settlement, New York State Attorney General Letitia James said that “Sabre first failed its customers with a susceptible security system, then failed them when it came to provide proper notifications.” Vermont State Attorney General T. J. Donovan, who led the coalition, similarly commented that “When a business relies on a vendor, it should be able to trust that the vendor will adequately protect its data, and if it does have a breach, respond appropriately.”
Putting it Into Practice: The Sabre settlement highlights the increasing interest that state attorneys general have taken in companies’ cybersecurity practices, especially in the wake of a reported breach. Companies would be well served as we start the year to reevaluate their current incident response and breach notice plans.