The UK Information Commissioner's Office ("ICO") announced on 30 October 2020 that it has decided to fine Marriott International, Inc. ("Marriott") £18.4m under the General Data Protection Regulation ("GDPR") for a personal data breach that occurred in relation to the Starwood guest reservation database system and affected up to 339 million guests, around 30 million of which were records relating to individuals in the European Economic Area ("EEA") with 7 million relating to individuals in the UK.
The final amount, whilst being a substantial fine, is a significant reduction from the £99.2m the ICO announced it intended to issue in its second notice of intent in July 2019. However, the reduction comes as little surprise following the ICO's recent reduction of its fine on British Airways from £183.39m to £20m.
The breach is believed to have started when Starwood's systems were affected by a cyber-attack in 2014, giving the attacker access to a range of personal details including: names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status and loyalty programme numbers. Marriott, who acquired Starwood in 2016, uncovered the breach and notified the ICO in November 2018 when it determined personal data had been compromised as a result.
The subsequent ICO investigation found that Marriott failed to process personal data in a manner that ensured appropriate security of the personal data as required by Article 5(1)(4) and Article 32 GDPR.
In its final penalty notice the ICO stressed that the decision relates solely to the period of the breach from 25 May 2018 (when the GDPR came into effect) and recognised that Marriott had acted quickly once it discovered the breach, promptly informing and taking steps to protect the interests of its guests. This fine constitutes 0.11% of its annual turnover in 2018, being £15.5bn. Marriot continues to face a separate representative class action for the same incident.
The ICO's decision
In reaching its decision, the ICO identified a number of security issues. The ICO acknowledged that while Marriott had taken steps to prepare for GDPR, this did not mitigate the failure to implement appropriate security measures in relation to the systems Marriott acquired. Marriott had proposed decommissioning the Starwood systems in early 2018, but this was delayed till the end of 2018.
Marriott's representations stated that it was only able to carry out limited due diligence on Starwood's systems and databases on acquisition. The ICO reiterated that as the decision only considered the period after the GDPR came into effect, no finding of infringement was made in relation to the purchase due-diligence undertaking. It also stated that the need for a controller to conduct due diligence in respect of its data operations is not a time-limited or a one-off requirement, particularly for a global business. Even if appropriate due-diligence had been undertaken at the point of acquisition, that would not have removed Marriott's obligation to ensure, on a continuing basis, that it complied with the GDPR. The ICO's statements highlight the need for purchasers to carry out thorough due diligence and obtain assurances from sellers of compliance with data protection requirements.
Draft Internal Procedure
Echoing the representations made by British Airways against its fine, Marriott submitted the ICO's use of an unpublished draft internal procedure, which placed revenue at the centre of calculating penalty amounts, was unlawful. Interestingly, this procedure was not referred to by the ICO in the final penalty calculation, suggesting this will no longer be considered in future enforcement actions, but the ICO reiterated that turnover would continue to be an important factor when calculating fines.
Following the ICO's own published guidance on its Covid-19 approach the reduced fine includes a £4m reduction to take into account the impact of the pandemic on Marriott and more generally. In the circumstances, this does not appear to be a dramatic reduction of the level of fine ultimately issued.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.