Notice of intent to fine Marriott International, Inc. £99.2 million
Information Commissioner's Office
What do I need to know?
The UK's data protection regulator, the ICO, intends to fine Marriott International, Inc £99.2 million. This proposed fine arises from a cyber-incident which affected Starwood hotels from 2014 to 2018. Marriott bought Starwood hotels in 2016 while the incident was ongoing.
The ICO's investigation highlighted that when buying Starwood, "proper due diligence" of the personal data they were acquiring and how it was protected would help meet Marriott's obligations under data protection law. They also noted that companies have a legal duty to ensure the security of personal data "just like they would do with any other asset".
This is not a final decision. Marriott had 21 days to make representations to the ICO following a "Notice of Intent" to issue a penalty in July 2019. The ICO reported that Marriott made these representations, which the ICO is now considering.
The Information Commissioner will consider whether to give a penalty notice, and if so, the amount of the penalty.
We expect to hear a further update from the ICO this spring.
Facts and Notice
- In 2014 the systems of Starwood hotels group were compromised by a cyber-incident. Marriott acquired Starwood in 2016.
- The GDPR took effect on 25 May 2018. This law includes mandatory data breach reporting (over a certain risk threshold) and the principle of "accountability", which is about demonstrating compliance with the law.
- In November 2018 Marriott identified the cyber incident and informed the ICO. Over the course of the incident, personal data contained in approximately 339 million guest records was exposed.
- These included 30 million records of residents of 31 countries in the EEA and 7 million records of UK residents.
- Marriott has subsequently co-operated with the ICO investigation and made improvements to its security.
ICO Notice of Intent
The ICO intends to fine Marriott £99.2 million. Their investigation found that Marriott failed to undertake proper due diligence when buying Starwood and should have done more to secure its systems.
Reasoning behind the proposed fine
The Information Commissioner's press release identifies "proper due diligence when making a corporate acquisition" as part of the accountability principle.
The press release goes on to state that companies can also fulfil their accountability obligations by assessing "not only what personal data has been acquired, but also how it is protected".
The GDPR also contains specific security obligations which support the principle of "integrity and confidentiality".
The press release does not specifically identify any breach of the security obligations but notes that "personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset."
This proposed fine was announced the day after the ICO proposed a fine of £183 million against British Airways. That fine related directly to "poor security arrangements". The Information Commissioner said the "law is clear – when you are entrusted with personal data you must look after it".
What are the implications of this fine?
Sufficient due diligence
It is clear the ICO expects "proper due diligence" over data protection issues. This includes both identifying the data but also the compliance measures, including information security, in a target company. This may include assessing actual compliance with policies or testing information security measures.
This proposed fine highlights the potential risk for buyers around historic or ongoing cyber incidents or other breaches of the data protection principles. Buyers should ensure suitable protections are in place.
Maximum fine and scope
The maximum fine under GDPR is €20 million or 4% of an undertaking's total worldwide annual turnover, whichever is higher.
An "undertaking" is a concept derived from European competition law and broadly means a "single economic entity". Depending on the "decisive influence" exercised within a group, this may mean the maximum fine is assessed on total worldwide group revenue.
The maximum fine under the previous data protection regime was £500,000. Both the BA and Marriott notices show the shift in risk profile around personal data.
This fine is against Marriot International, Inc., an American company, and is an important reminder of the extra-territorial scope of GDPR.
As mentioned above, the Information Commissioner is considering representations made by Marriott in order to decide whether to give a penalty notice, as well as the amount of the penalty.
However, there has been commentary claiming that a delay has been agreed between Marriott and the ICO. Commentators have stated that Marriott and the ICO have agreed to an extension of the regulatory process until 31 March 2020.
We expect to hear an official update from the ICO in the spring.