The Information Commissioner’s Office (ICO) has announced its intention to fine Marriott International (Marriott) approximately £99m for breaches of the General Data Protection Regulation (EU) 2016/679 (GDPR). The group is also the subject of extensive legal claims across multiple jurisdictions.
The alleged data breaches relate to an incident in November 2018 where 339m guest records were exposed globally, of which 30m related to residents of countries in the EEA and seven million to UK residents. Marriott has since confirmed that data was stolen by hackers and included personal data such as guests’ names, home addresses, telephone numbers, encrypted credit card numbers, passport numbers, dates of birth and other identifying information.
Marriott acquired Starwood Hotels (Starwood) in 2016 with security systems of Starwood being compromised since 2014. During the due diligence process, no data breaches were found, with these not being discovered by Marriot until 2018. As such, a two year period had elapsed since Marriot’s acquisition of Starwood and its discovery of the inherent data breaches.
The ICO investigation found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”. It seems that Marriot reported such breaches to the ICO upon discovery but that its security systems remained prone to attack for a period of two years.
At present the notice of intent issued by the ICO will allow interested parties to provide comment over the next 16 weeks before a final decision is made. There are arguments from some that this notice of intent is merely in place to show the ICO is taking a pro-active approach towards data breaches.
It has now been over a year since GDPR came into force in the UK and the fines imposed on the Marriott group send out a clear signal of the ICO’s approach to significant data breaches.
The key lessons are:
1. Implement security processes in line with best industry practice and commensurate with the amount and type of data your business is processing – it is impossible to guarantee security perfection but this decision reinforces the need for businesses to have in place robust security procedures following best industry and quality practices, especially when such businesses process a high level of sensitive personal data including card numbers, names, addresses etc.
2. Regular review and test your security processes – businesses are obliged to continually monitor and test their security structures and processes in response to new threats, so you cannot stand still. One of the aggravating factors in the Marriott case is that the security weaknesses in their systems had been allowed to remain for a number of years before and after Marriott’s acquisition of Starwood.
3. Keep records – if you are unfortunate enough to be hacked, being able to provide evidence of all the steps you have taken to prevent it and to protect your personal data, will assist in defending any legal claims that may be made.
4. Put in place cyber insurance – hacking is a criminal act by a third party and it is impossible to create and maintain a perfect security system. We would therefore advise all customers to have in place a cyber insurance policy, to protect your business from the financial consequences of a data breach.
5. Take extra care when acquiring new businesses with databases containing personal data – appropriate due diligence should be carried out, pre completion, in relation to the security structures and procedures in place within the target.
Post-completion, it will also be prudent to audit the security processes and structures of the business you have acquired to validate any assurances given by the sellers around security and to make certain that security is at the same level as your own business.
6. It could have been worse! Under GDPR the ICO could raise a fine of 4% of its annual turnover, or £20m if higher. With revenues in the order of £20bn, the fine could have been up to £800m.
It may be that the fine announced will be reduced, but it is clear from these investigations that data protection, and security of personal data, must be taken extremely seriously.