Article Detail

News & Knowledge

7 Things You Can Do Now in Light of the Starwood/Marriott Breach

November 30, 2018

By: Drew Sorrell

Today Marriott International announced a massive data breach of its Starwood database. Hackers took off with names, mailing addresses, phone numbers, email addresses, passport numbers, affinity account information, dates of birth, gender, arrival and departure information, reservation dates and communications preferences or some combination of this personal information. According to Marriott officials, the stolen information was accessed from the Starwood database as early as 2014 and effects information in the company’s possession prior to September 10th of this year.

Here are 7 ways to protect yourself:

1. Communicate with business associates. Are you traveling? The hackers now know this, and the details. Remind your business associates how a smart hacker can exploit and spoof your email to look like it’s coming from you, and to always double check with you personally before acting on that odd request to wire money or employee information to “you” while you are traveling.

2. Change your passwords. If you recycle passwords as many of us do (but shouldn’t), at a minimum change the password for every account that uses the same email address. Consider changing your passwords on a routine basis using a trigger that is easy to remember, such as daylight savings time.

3. Change your Starwood password. Obvious.

4. Sign up for credit monitoring. Credit monitoring is increasingly cheap and in some cases free. Why not have it in place so that if a new account is opened, a new credit check hits or the like, you get an instant message or email when it happens so you can react!

5. Get a password manager. One of the problems with passwords is having to remember them. With a password manager, you create a single master password (we suggest using a pass phrase that is memorable, long, and includes a number and special character), and then file your other passwords into the encrypted password manager. You won’t have to remember any passwords but the one that gets you into your password manager. Easier and safer!

6. Download the App for your credit cards and banks. Frequently, these apps will permit you to turn on messaging to alert you of transactions. Thus, if you are sitting in a meeting and get a text that “you” just bought something, you may react immediately. Many also offer two-factor authentication, where you receive a special code via text after logging in – highlight recommended if available.


7. Consider your Email Choice. If you are using your work email, as many of us do, for travel or other accounts, when they are breached, this email address is a trail back to you at the office. We suggest using a different email address that is generic and sanitized for such things.

Hackers are smart. Try to be smarter with extra thought and security applied to all your online activity.

If you have any questions regarding data breaches, contact Drew Sorrell or any member from our Privacy, Cybersecurity & E-Discovery Group.


Drew Sorrell's practice focuses on complex commercial issues, relating to both litigation and contract/policy drafting.

Drew has years of experience litigating business matters, intellectual property/patent infringement disputes, data breach/privacy issues, wire fraud (spoofing/spear phishing), business torts/disputes, insurance coverage, personal injury and employment litigation. Likewise, he has significant experience drafting and negotiating software licenses (SaaS), Internet service provider agreements, data privacy/breach policies and procedures, employment/services agreements as well as the indemnity and insurance coverage related to those agreements.

Initially, Drew began his legal career as a judicial clerk to Senior United States District Judge John H. Moore II, in Jacksonville, Florida, and then practiced with an AmLaw top 10 firm in Manhattan primarily in their litigation department. After spending some time as an assistant county attorney responsible for litigation, he joined Lowndes and is currently chair of the firm’s multi-discipline Cybersecurity, Privacy & eDiscovery Group.

A founding member of the Sedona Conference Group 11 (Privacy/Data Security), Drew is frequently asked to speak and write on legal and ethical issues arising from technology, including unfair and deceptive trade practices, data breach, privacy, data governance, and technology contract drafting. He is also currently serving as chair of the Orange County Bar Association Intellectual Property Committee.

Drew has argued to the United States Court of Appeal for the Eleventh Circuit, at the federal level, and the Fifth District Court of Appeal at the state level. He is admitted to The United States Supreme Court Bar, as well as the Florida, New York and District of Columbia Bars. He is admitted to practice before all federal district courts in Florida as well as the Southern District of New York.

Born in Florida, Drew roots for his adopted football team—the FSU Seminoles (because neither Rollins nor George Washington has a football team). He is a proud father of two sons who play basketball and soccer, make great grades and generally keep him very busy in his spare time.

Meritas Law Firms Worldwide logo
Do Your Part Logo