• by Wendy Davis  @wendyndavis, November 30, 2018

News that the Marriott hotel chain suffered a data breach that may have affected 500 million guests is spurring a renewed call for new federal legislation.

“It’s time for Congress to pass comprehensive consumer privacy and data security legislation that requires companies to adhere to strong data security standards, directs them to only collect the data they actually need to service their customer, and creates penalties for companies that fail to meet them,” Senator Ed Markey (D-Massachusetts) stated Friday.

Markey's new push for legislation came several hours after Marriott revealed that hackers accessed data for around 500 million people who made reservations at a Starwood hotel. The stolen information includes a trove of personal data -- including names, mailing addresses, email address, passport numbers, and birthdates. Hackers first gained access to the database in 2014, the hotel chain said Friday.

Three years ago, Markey and other lawmakers proposed legislation that would have required companies to notify consumers within 30 days if hackers obtain “sensitive” information -- including photos, geolocation data and medical information. That bill, which didn't advance, also would have required requires companies to minimize retention of “sensitive personally identifiable information,” including bank account numbers, social security numbers, online usernames and passwords, health-related information and password-protected photos and videos.

Attorneys general in New York and Maryland said Friday morning they were investigating the company.

“New Yorkers deserve to know that their personal information will be protected,” New York Attorney General Barbara Underwood said Friday on Twitter.

Underwood also reiterated her support for a proposed law in New York, the Stop Hacks and Improve Electronic Data Security Act, that would require companies to use reasonable safeguards to protect sensitive data.