What do I need to know?
The UK's data protection regulator, the ICO, intends to fine Marriott International, Inc £99.2 million. This proposed fine arises from a cyber incident which affected Starwood hotels from 2014 to 2018. Marriott bought Starwood hotels in 2016 while the incident was ongoing.
The ICO's investigation highlighted that when buying Starwood, "proper due diligence" of the personal data they were acquiring and how it was protected would help meet Marriott's obligations under data protection law. They also noted that companies have a legal duty to ensure the security of personal data "just like they would do with any other asset".
This is not a final decision. Marriott now has 21 days to make representations to the ICO. Other European data protection regulators can also make representations on the proposed penalty. Following these representations, the ICO will issue a monetary penalty which will include more detail of the specific issues that caused the fine. There is a subsequent appeals process.
Facts and Notice
- In 2014 the systems of Starwood hotels group were compromised by a cyber incident. Marriott acquired Starwood in 2016.
- The GDPR took effect on 25 May 2018. This law includes mandatory data breach reporting (over a certain risk threshold) and the principle of "accountability", which is about demonstrating compliance with the law.
- In November 2018 Marriott identified the cyber incident and informed the ICO. Over the course of the incident, personal data contained in approximately 339 million guest records was exposed.
- These included 30 million records of residents of 31 countries in the EEA and 7 million records of UK residents.
- Marriott has subsequently co-operated with the ICO investigation and made improvements to its security.
ICO Notice of Intent
The ICO intends to fine Marriott £99.2 million. Their investigation found that Marriott failed to undertake proper due diligence when buying Starwood and should have done more to secure its systems.
Reasoning behind the proposed fine
The Information Commissioner's press release identifies "proper due diligence when making a corporate acquisition" as part of the accountability principle.
The press release goes on to state that companies can also fulfil their accountability obligations by assessing "not only what personal data has been acquired, but also how it is protected".
The GDPR also contains specific security obligations which support the principle of "integrity and confidentiality".
The press release does not specifically identify any breach of the security obligations but notes that "personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset."
This proposed fine was announced the day after the ICO proposed a fine of £183 million against British Airways. That fine related directly to "poor security arrangements". The Information Commissioner said the "law is clear – when you are entrusted with personal data you must look after it".
What are the implications of this fine?
Sufficient due diligence
It is clear the ICO expects "proper due diligence" over data protection issues. This includes both identifying the data but also the compliance measures, including information security, in a target company. This may include assessing actual compliance with policies or testing information security measures.
This proposed fine highlights the potential risk for buyers around historic or ongoing cyber incidents or other breaches of the data protection principles. Buyers should ensure suitable protections are in place.
Maximum fine and scope
The maximum fine under GDPR is €20 million or 4% of an undertaking's total worldwide annual turnover, whichever is higher.
An "undertaking" is a concept derived from European competition law and broadly means a "single economic entity". Depending on the "decisive influence" exercised within a group, this may mean the maximum fine is assessed on total worldwide group revenue.
The maximum fine under the previous data protection regime was £500,000. Both the BA and Marriott notices show the shift in risk profile around personal data.
This fine is against Marriot International, Inc, an American company, and is an important reminder of the extra-territorial scope of GDPR.
As mentioned above Marriott and other European regulators have 21 days to make representations.
Following these representations the ICO will either serve a monetary penalty notice (which will confirm the final fine) or cancel the notice of intent. The penalty notice is typically made public and will include more details of the breaches which have caused the fine.
Marriott will then be able to appeal to the Information Tribunal. They can appeal against the notice itself and/or the quantum of the fine.