[crandycodes]

I was confused by this comment but I think what you're trying to criticize is this: "Mariott didn’t take enough precautions to pretend being victim of a hacker."

I agree with that criticism. It's not a crime to be a victim, but being a victim also doesn't mean you're not guilty.

Marriott might, however, still be liable for some damages due to not following common security practices for sensitive personal information. Anyone from California, for example, would have § 1798.81.5 [1] and § 1798.91.04 [2] which would backup their right to have their data handled properly. The FTC might also get involved with their fairly broad powers to protect users privacy (though that agency has been limited in this administration).

[1] http://leginfo.legislature.ca.gov/faces/codes_displaySection... [2] https://leginfo.legislature.ca.gov/faces/billCompareClient.x...