On 30 October 2020, the Information Commissioner’s Office (the “ICO”), acting as Lead Supervisory Authority for the purposes of Article 56 of the General Data Protection Regulation (the “GDPR”), issued Marriott International, Inc. (“Marriott”) with a Monetary Penalty Notice (the “MPN”), fining the hotel chain £18.4 million for breaches of Articles 5(1)(f) and 32 GDPR, in relation to a cyber-attack on Starwood Hotels and Resorts Worldwide, Inc. (“Starwood”) which started in 2014 and remained undetected until September 2018 (by which time Starwood had been acquired by Marriott). This cyber-attack led to personal data (including unencrypted passport details, details of travel, and various other categories of personal information including name, gender, date of birth, VIP status, address, phone number, email address, and credit card data) belonging to approximately 339 million customers being exposed.
Despite the four-year period that the breach spanned, the ICO’s findings are confined only to the period following the implementation of the GDPR: 25 May 2018 to 17 September 2018 (the “Relevant Period”).
The MPN was issued just two weeks after the ICO imposed its largest fine to date - £20 million - on British Airways Limited (“BA”), similarly for breaches of Articles 5(1)(f) and 32 GDPR. An analysis of the BA MPN can be found here.
The two decisions share numerous common features, not least the significant reductions in the final penalty figures as compared to those which were proposed in the ICO’s Notices of Intent (“NOI”). In Marriott’s case, the final figure represents just 18.5% of the £99.2 million fine proposed in the ICO’s NOI dated 5 July 2019 or just over 0.1% of Marriott's worldwide turnover in 2018.
Aside from the useful parallels which can be drawn with the BA MPN, the Marriott MPN is helpful in itself for providing further guidance to organisations on how to ensure that they have “appropriate technical and organisational measures” in place to avoid regulatory sanctions in the event that personal data in their possession is compromised following an IT systems breach.
Data controllers and processors would be well-advised to take heed of the detailed guidance comprised in these MPNs, which build on previous MPNs issued in respect of breaches of the seventh data protection principle under the old data protection regime, at Schedule 1 of the Data Protection Act 19981. Sympathy for those who fail to do so is likely to be in short supply at the ICO which, it is clear, will accept little deviation from the standards set out therein, particularly from well-funded data controllers and processors.
The decision also provides some very helpful guidance regarding how organisations should determine whether to notify relevant Supervisory Authorities for the purposes of Article 33 GDPR, and what steps they are obliged to take to notify affected data subjects in order to fulfil their obligations pursuant to Article 34 GDPR.
The regulatory sanction to which Marriott is subject also serves to highlight the importance of undertaking detailed due diligence, and securing relevant contractual protections, for purchasers undertaking corporate acquisitions.
The data breach
The facts of the data breach are, by way of summary, as follows:
- In 2014, Starwood's IT systems were compromised by an attacker who installed a web shell on a Starwood network device, enabling them to remotely access and edit the contents of the system. The attacker exploited this access in order to install Remote Access Trojans (“RATs”), which enable remote administrator system control;
- The attacker installed and executed “Mimikatz”, which allowed the attacker to harvest login credentials temporarily stored in the system memory. The compromised accounts were used to run various commands on the Starwood reservation database including to identify payment card data. The attacker exported personal data to various “dmp” files on the Starwood system, “potentially” with a view to taking a copy of that data2;
- On 7 September 2018, the attacker triggered an alert on the Guardium system, which had been applied to certain tables on the database which contained payment card details. Marriott were alerted of this a day later by Accenture (which managed the Starwood Guest Reservation Base); and
- Marriott instigated its incident response plan a few days later, and proceeded to deploy real-time monitoring and forensic tools on Starwood devices so as to identify potentially malicious activity in real-time.
Marriott notified the ICO initially on 22 November 2018, and later on 30 November 2018, upon discovering additional breaches. Affected data subjects started to be informed of the breach from 30 November 2018, when Marriott issued a press release about the attack and established a dedicated incident website.
The ICO’s regulatory response
The ICO commenced its investigation shortly thereafter, and issued a NOI the following July, informing Marriott of its intention to fine it £99.2 million.
As in BA’s case, Marriott provided three sets of substantive written representations (on 23 August 2019, 31 January 2020, and 17 April 2020).3
The basis on which the fine was calculated
Again, the key question invited by this MPN is why the final penalty – as in the BA MPN – is significantly lower than that which was proposed in the ICO’s NOI.
In a similar manner to the BA MPN, the Marriott MPN elides the issue and instead proceeds to analyse the penalty in line with the five-step approach in the ICO’s Regulatory Action Policy (“RAP”).
The key factors at play in the Commissioner’s determination of the quantum of fine included:
- The fact that Marriott did not derive any financial benefit from the breach;
- The “significant concern”4 the Commissioner had in respect of the nature of Marriott’s failings and the “extremely large number of individuals [who] were affected by the breach [339 million guest records, of which 30.1 million were associated with EEA Member States]”5, some of whom, the Commissioner considered, would likely have suffered distress as a result of the disclosure of their personal information, despite Marriott's contentions to the contrary6;
- The “significant”7period of time (4 months) over which unauthorised access to personal data went undetected (whilst the attack started in September 2014, as noted above, the Commissioner’s findings in respect of the breaches were limited to a much shorter period);
- The negligent (but not intentional) nature of Marriott’s breaches8;
- The fact that Marriott were “wholly responsible”9 for the breaches of GDPR during the Relevant Period. The Commissioner noted in this respect that, “[w]hile the entry of the Attacker into Starwood’s systems pre-dates Marriott’s acquisition of that company, Marriott has an ongoing duty to ensure the safety and security of the systems it was suing to process personal data”10. Marriott’s argument that the engagement of Accenture to provide third party IT services should be taken into account when assessing degrees of responsibility was given short shrift by the Commissioner, who noted that “the engagement of third parties cannot reduce [Marriott’s] degree of responsibility”11. Similarly, short shrift was also given to the suggestion that Marriott's adherence to industry standards in relation to payment data was evidence of a wider compliance with data protection legislation12;
- The full cooperation which Marriott gave to the ICO in relation to its investigation; and
- The absence of previous infringements on Marriott’s part.
An initial figure of £28 million was reached, which was reduced by 20% to £22.4 million, in light of the following mitigating factors13:
- Marriott’s increased investment in IT security (it had committed to an increased budget for IT security in 2018 prior to becoming aware of the breach and the budget for IT security for 2020 was increased to $108.5 million);
- The immediate steps taken by Marriott to mitigate the effects of the attacks, including:
- Deployment of real-time monitoring and forensic tools on Starwood devices;
- Password resets;
- Disabling known compromised accounts;
- Implementation of enhanced detection tools;
- Steps taken by Marriott to mitigate the impact of the breach on data subjects, including the establishment of a notification and communication regime (involving notification emails, an incident website and a dedicated call centre). Albeit, no credit was given by the Commissioner in relation to the fact that Marriott had allegedly spent in excess of $50 million in customer-facing remediation activities;
- Widespread media reporting, which is likely to have increased awareness amongst other data controllers of the risks posed by cyber-attacks; and
- The adverse effect which the breach had on Marriott’s brand and reputation.
As it did in relation to BA, the Commissioner permitted a further reduction of just over £4 million to take into account the impact of Covid-19 on Marriott’s business. The final figure was therefore £18.4 million.
Returning to the question of why this figure is so small by comparison to the fine proposed in the NOI, it is evident that the Commissioner had used – as she had in the BA case – an unpublished internal document entitled “Draft Internal Procedure for Setting and Issuing Monetary Penalties” (“DAP”), which used turnover as the central metric for calculating fines. However, the ICO informed Marriott by way of a letter dated 6 December 2019 – the same date on which BA received an equivalent letter – that the “[DAP] would not be taken into account in setting any penalty imposed on Marriott”.14 The arguments raised by Marriott in their first representations as to the applicability of the DAP appear to have tracked very closely those made by BA in respect of the same subject matter, and were ultimately successful. The Commissioner made clear in the MPN that reliance was solely placed on Article 83 GDPR, section 155 of the Data Protection Act 2018 and the RAP in deciding the quantum of the fine.
The Commissioner otherwise reiterated a number of points in respect of penalty calculations which had been raised in the BA MPN, notably:
- That the turnover based approach remains “a relevant consideration in determining the appropriate level of penalty”;15
- That the current penalty regime does not lack sufficient legal certainty; and
- A lex specialis argument does not apply in the context of a consideration of the interrelationship between Articles 5(1)(f) and 32 GDPR. Whilst BA had argued that there was a clear conflict between the two provisions, Marriott tried a slightly different tack, submitting that Article 5(1)(f) was merely a shorter, summary version of the more detailed, specific obligation in Article 32, and therefore the latter amounted to the lex specialis of the former. The ICO rejected this contention, noting that Article 5(1)(f) is “one of the basic principles of processing” and “cannot be dismissed as simply a summary of a later new provision in the GDPR”16.
Appropriate technical/organisational measures
The BA MPN was a veritable treasure trove of useful guidance in relation to the Commissioner’s views on “appropriate technical and organisational measures”. The Marriott MPN is no different, albeit with a shift in focus.
Whilst much discussion in the BA MPN was focussed on the steps which might be taken to prevent initial access to IT systems, the Marriott MPN is more focussed on steps which might be taken to identify breaches, and to prevent further unauthorised activity within IT systems, after they have been compromised (issues which were also covered in detail in the BA MPN), This difference in emphasis reflects the fact that, in Marriott's case, the underlying attack had been ongoing since 2014.
Four principal failings were identified by the Commissioner as contributing to her conclusion that “Marriott failed [between 25 May 2018 and 17 September 2018] to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures, as required by Article 5(1)(f) and Article 32 GDPR”17, namely:
- Failure to sufficiently monitor privileged accounts18. The BA MPN discussed privileged account management19 and provided significant commentary regarding the ease with which the attacker obtained privileged account details. The Marriott MPN does not provide commentary on that issue, and focusses instead on privileged account monitoring. The Commissioner noted that, once access had been gained by the attacker to the Starwood Cardholder Data Environment (“CDE”), there were not appropriate or adequate measures in place to identify the breach and prevent further unauthorised activity, partly because Marriott failed to appropriately monitor privileged account user activity.20 A forensic report prepared by Verizon noted that Marriott had not configured logging in respect of “access to systems and/or applications within the CDE”21. Appropriate monitoring in this respect “would have included the appropriate logging of user activity, especially in relation to privileged users.” The logging of user activity “once within the CDE…would have aided the detection of unusual client activity”.22
- Failure to sufficiently monitor databases23. Numerous failings were identified in relation to database monitoring within the CDE:
- Security alerts: Alerts were only placed on tables within the CDE that contained payment card information. Whilst a risk-based approach may entail additional security alerts being set up in relation to payment card data, this “[did] not justify a complete lack of alerts on tables containing other personal data”24.
- Logging: Despite utilising IBM Guardium to monitor database activity, this did not prevent key issues in respect of logging. The Commissioner found that there was insufficient logging of key activities – for example, there was no server logging of the creation of files. This allowed the attacker to export entire databases to “dmp” files undetected. Such logging would have been “feasible” for Marriott, as a mass export of data such as this would not regularly occur in the course of business and therefore the number of false positives would have been low25. The Commissioner concluded: “[t]hat Marriott did not detect the attack until alerted by Guardium is indicative of Marriott failing regularly to test, assess and evaluate the effectiveness of its security measures.”26
- MFA: The Commissioner was at pains to emphasise that: "[c]ontrol of access through MFA does not displace the need for adequate monitoring (including logging) of activities that assist in detecting a breach once it is in train."27
- Failure to control critical systems28. In addition to increased monitoring, the Commissioner noted that it would have been appropriate for Marriott to implement server hardening29 “which could have prevented the Attacker from gaining access to administrator accounts and performing reconnaissance before traversing across a network”30. Whitelisting would have been one such measure. At a minimum, this could have been expected on: (1) devices which could be remotely accessed; (2) devices which store large amounts or sensitive categories of data; (3) any other systems “critical” to network operations; and (4) any POS terminals at a property level and other devices which process payment card transactions31 Marriott could also have “carried out regular audits, updates of software and restricted file and directory permissions”32. These measures were described by the Commissioner as “readily available and mature solutions” which could have been implemented “without entailing excessive cost or technical difficulties”33.
- Failure to use encryption appropriately34 The Commissioner took issue with the fact that, whilst payment card data and some passport numbers had been encrypted using an industry standard algorithm, not all passport numbers were encrypted35. This approach was described as “inconsistent” and lacking rationale. Nor did she accept Marriott’s argument that it would have been impractical to have encrypted more personal data; she suggested that methods such as the use of UUIDs36, or hardware security modules, could have been utilised so that decryption could have taken place quickly and with ease37.
Perhaps the most notable point to arise from the Commissioner’s analysis of the appropriate technical and organisational measures is the importance of organisations having in place multiple layers of security. The Commissioner acknowledged that “no single security measure can fully protect a system against attack or compromise”. As such, it is wholly appropriate to adopt a strategy of “defence in depth”38. In this regard, the Commissioner was at pains to emphasise, as was the case in the BA MPN, that Marriott had failed to heed publicly available guidance in developing its cyber-security policies and procedures, referring, in particular, to the NCSC's "10 Steps to Cyber Security: Guidance on how organisations can protect themselves in cyberspace, including the 10 steps to cybersecurity"39 and "Introduction to identity and access management"40.
It is also worth noting that, as she did in the BA MPN, the Commissioner rejected the assertion that the sophisticated nature of the attack in any way detracted from culpability: “the sophistication or specific vector of the attack is not the relevant focus”41.
When the Marriott NOI was issued, the Commissioner considered that Marriott had breached both Articles 33 and 34. However, the Marriott MPN finds that, on further consideration, including of Marriott's representations, this was not, in fact, the case. The reasoning behind the Commissioner's findings provides helpful guidance regarding the ICO's interpretations of these aspects of the GDPR.
Article 33 GDPR
The Commissioner helpfully clarified the appropriate test to be applied by data controllers when deciding whether to make a notification to the ICO in accordance with Article 33 GDPR.
Marriott had argued that a data controller must be “reasonably certain” that a data breach has occurred before notifying the ICO. The Commissioner disagreed: a data controller “must be able to reasonably conclude that it is likely a personal data breach has occurred to trigger the notification requirement under Article 33”42.
Article 34 GDPR
The Commissioner emphasised that, although she considered Marriott had not, in fact, breached Article 34 GDPR, the fact that it had established a dedicated website regarding the breach, and issued a press release in relation to it, was not sufficient to discharge its obligations in this regard43; it was obliged to contact affected data subjects individually (e.g. via email) unless it could be shown that to do so would involve disproportionate effort, which, on the facts, Marriott was unable to demonstrate.
Marriott has stated that it does not intend to appeal the ICO’s decision. In doing so it emphasised, no doubt with a view to the civil claims which it is facing arising out of the breach, that it makes no admission of liability in relation to the Commissioner's findings or the underlying allegations.
Operate legacy systems at your peril
Marriott had planned to migrate the data on Starwood's IT systems, which Marriott had improved since it had acquired Starwood, to Marriott's IT systems before GDPR had come into force, and, thereafter, decommission Starwood's IT systems. However, that process was delayed until the end of 2018, meaning that personal data continued to be located on those IT systems after the GDPR came into force.
In the instant case, Marriott's request for clemency on the basis that the IT systems affected were due to be decommissioned, and the fact that it had made improvements to those systems since it acquired Starwood, fell on deaf ears, with the Commissioner emphasising: “the fact that an IT system is due to be retired shortly does not disapply the GDPR to the data being processed through that system”44. Whilst decommissioning “may be a relevant factor in determining what measures would be appropriate in a given case, this ultimately does not remove the basic obligation to put in place security measures appropriate to the risk posed by the continued processing”45.
The message is clear: organisations should not let their guard down just because a system is due shortly to be decommissioned or expect to be relieved of their obligations as data controller pursuant to the GDPR by virtue of the fact that steps have been taken to improve legacy systems following a takeover.
Levels of future sanctions
It is hardly surprising that the final penalty imposed on Marriott is significantly lower than that which was proposed in the NOI, not least given: (1) the approach taken by the Commissioner in the BA MPN; and (2) the ICO’s investigations into these breaches, the issuance of NOIs, and thereafter, the process of finalising MPNs (taking into account representations made to the Commissioner), ran in tandem.
However, as we noted in our analysis of the BA MPN, caution should be exercised before interpreting this reduction as an indicator of: (1) the level of futures fines which may be set by the Commissioner; and (2) the approach to calculating fines which will be adopted by the Commissioner in future cases.
Draft statutory guidance published by the ICO in October 2020 on its regulation policy (the “Guidance”) departs from the five-step approach in the RAP, which was relied upon by the Commissioner in both the BA and Marriot MPNs. The Guidance instead sets out a nine step approach, with fines in the first instance being calculated in accordance with turnover. Had the Guidance been applied in relation to Marriott, the starting point for the penalty would have been more than double the proposed figure set out in the NOI46. As we noted previously, assuming the Guidance is finalised in its current form, “mega” fines – running into the hundreds of millions of pounds – remain a distinct possibility.
Whether or not the Guidance is adopted, the Marriott MPN, like the BA MPN, reinforces the importance for organisations seeking to reduce any potential fine as a result of a serious data breach of (most notably):
- Promptly taking steps to mitigate the effects of the breach (in the present case, for example, deploying real-time monitoring and forensic tools) and addressing deficiencies in “technical and organisational measures” which have become apparent as a result of the breach (here, principally, significantly increasing investment in IT security); and
- Robustly challenging the Commissioner’s early findings in any NOI. Marriott’s proactive and front-foot approach bore dividends in this respect, as did BA’s previously. The Marriott MPN notes, for example, that: "[h]aving considered, in particular, Marriott's Second Representations in response to the draft decision, the Commissioner is satisfied that Marriott did not breach its obligations under the GDPR by relying upon" advice from independent PCI DSS assessors regarding the application of MFA to certain aspects of Starwood's IT Systems47 and "in the light of Marriott's Representations, the Commissioner has decided not to make a finding that Marriott breached Article 33 GDPR"48. Marriott's representations also appear to have been persuasive in the Commissioner determining that she "was wrong provisionally to find in the NOI that Marriott's notification to data subjects breached Article 34 of the GDPR"49.
Given that the fines which have now been levied against BA and Marriott are of a similar order, and reflect a similar approach in terms of the reductions: (1) made by reference to the fines proposed in the NOI; (2) to reflect the impact of Covid-19 on their recipients' operations; and (3) to reflect the recipients' engagement with the ICO's investigations, further guidance as to how turnover will be weighed in the balance would be welcomed by practitioners, data controllers and processors alike.
Civil claims against Marriott
Our previous analysis on civil claims in respect of BA holds true in relation to Marriott. The upshot of that analysis is, in short, that if all affected guests pursue claims against Marriott, it could be facing liability from those proceedings which may well be many multiples of the fine imposed by the ICO50.
Due diligence in corporate acquisitions
The regulatory sanction to which Marriott is subject also serves to highlight the importance of undertaking careful due diligence, and securing relevant contractual protections, for purchasers undertaking corporate acquisitions.
In the instant case, whilst the Commissioner did accept that “[t]here may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover”51 this was of little relevance, as the Commissioner considered that Marriott had had ample time to address issues which were extant at the time of the Starwood acquisition and following that acquisition, and had failed to address those issues, emphasising: "[t]he need for a controller to conduct due diligence in respect of its data operations is not time-limited or a 'one-off' requirement"52.
Although, regrettably, the Marriott MPN provides little real guidance as to what the ICO would consider best practice in this regard, it is hard to see why a data controller which has acquired a business which has caused data subjects loss by virtue of unlawfully processing, or failing to adequately safeguard, their personal data should be entitled to expect any diminution in the regulatory sanction applicable by virtue of the fact that it conducted thorough due diligence of the target.
Purchasers would instead be well advised to protect themselves in relation to any latent liabilities arising from breaches of data protection legislation on the part of the target company by:
- Undertaking as thorough due diligence as is practicable prior to entering into a corporate acquisition so that any such liabilities can be ascertained (subject to the limitation identified by the ICO regarding competitor businesses) and priced into the deal or appropriate contractual protection can be sought;
- Ensuring that they secure wide-ranging warranties and indemnities specifically focussing on this risk, potentially supported by warranty and indemnity insurance53 as appropriate, to ensure that the vendor or an insurer assumes responsibility for such liabilities; and
- Undertaking a thorough review of the target's legacy IT systems as soon as practicable following acquisition, and, in any event, well prior to the expiry of any relevant time limitations applicable to the warranties and indemnities provided by the vendor, in order to identify any such liabilities, so that relevant contractual notices, or claims under policies of insurance or otherwise, can be served promptly.