Background

The data breach in question arose from a cyberattack in 2014 on Starwood, a business acquired by Marriott.  339 million guest records globally were impacted and 7 million records related to data subjects in the UK. The attacker gained access to a wide range of information, including names, email addresses, phone numbers, passport numbers, arrival and departure information, and VIP status and loyalty program information.   Marriott became aware of the breach in September 2018 and made a breach notification to the ICO in November 2018.

ICO Decision

The ICO announced a fine against Marriott International Inc of £18.4million on 30 October 2020.  Whilst it is still a very significant fine, it was a substantial reduction from the original proposed fine of £99.2million announced by the ICO in its notice of intent in July 2019.  The fine reduction was expected though in light of the ICO's similar fine reduction against British Airways from £183.39million to £20million.  The ICO highlighted that the fine related only to the period from 25 May 2018 when GDPR came in to force and that Marriott had acted promptly once it discovered the breach.

The ICO found that Marriott failed to process personal data in a manner that ensured appropriate security of the personal data as required by Article 5 and Article 32 GDPR.  The ICO identified four main security failures:

  • insufficient monitoring of privileged accounts that would have detected the breach;
  • insufficient monitoring of databases;
  • failure to implement server hardening as a preventative measure
  • failure to encrypt certain personal data, including some passport numbers.

On a positive note, the ICO did not find that Marriott had breached its notification obligation under Article 33 of the GDPR, nor had it breached its Article 34 requirement to notify data subjects of the breach, but noted that Marriott had accidentally failed to include a phone number for its dedicated call centre in its email to data subjects.

An interesting point made by Marriott was that it was only able to undertake limited due diligence when acquiring Starwood.  The ICO, however, gave this argument short shrift.  It made the point that the fine only relates to the period from May 2018 when GDPR came into force.  The ICO stated that the "need for a controller to conduct due diligence in respect of its data operations is not time-limited or a 'one-off' requirement" and that it is "no answer to claim that certain due diligence steps were, or only needed to be, taken in the period immediately after acquisition."

Fine Level

The ICO adjusted the fine downwards and took the following mitigating factors into account:

  • Marriott's full co-operation with the ICO investigation
  • The steps taken by Marriott to mitigate against the breach and prompt contact with data subjects
  • Marriott's improvement and investment in security
  • The impact on Marriott's brand and reputation
  • The economic impact of Covid-19 on Marriot which resulted in the ICO applying a further £4million reduction in the fine

Summary

Although the fine was significantly less than the previously announced proposed fine, it still demonstrates the impact of the ICO's enforcement powers.  For any businesses involved in acquisitions, the case also highlights the importance of undertaking proper data due diligence in corporate transactions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.