The ICO has announced its decision to fine the Marriott hotel chain £18.4m for a 2014 data breach that led to over 300 million guest records being accessed as part of a cyber attack. Whilst still a sizeable fine, this figure is significantly below the £99million penalty that the chain was initially facing. Here the Kuits commercial team assesses the reasons behind the ICO reducing the fine and what lessons can be learned from the case.
Background
The cyber attack commenced in 2014 and was targeted at Starwood Hotels & Resorts Worldwide Inc., whose brands include Sheraton, W Hotels and St. Regis. The hacker continued to access Starwood’s systems following Marriott’s acquisition of Starwood in 2016, until the breach was finally detected in late 2018. By this time more than 300 million guest records, including 7 million records relating to UK guests, had been accessed, including information relating to customer names and contact details, credit card numbers, passport information and reward card programmes.
The amount of the penalty
When the ICO initially announced its intention to fine Marriott for the breach the intended penalty was £99million, or about 3% of Marriott’s global turnover at the time. The final penalty appears to have been reduced for the following two key reasons:
- To recognise Marriott’s speedy response after discovering the attack in improving their IT security and their approach to guests who had been affected by the breach. For example, setting up a dedicated website to provide information to affected guests.
- The impact of Coronavirus on Marriott’s revenue, echoing the ICO’s reasoning for reducing the penalty given to British Airways for their data breach.
What can be learnt from this penalty?
This breach highlights the importance of carrying out thorough due diligence on target companies including, in particular, their data protection compliance. As part of its investigation, the ICO found that Marriott’s directors had failed to carry out an adequate due diligence process when acquiring Starwood, despite Starwood’s systems reportedly having known security risks.
Following the acquisition it also took more than two years for Starwood’s booking platform to be integrated into Marriott’s own systems, during which time the legacy system continued to accessed by the cyber attacker, something which could have been prevented had the integration process been given higher priority following the acquisition or due diligence been properly carried out.
A reminder in respect of Brexit
Finally, with the end of the Brexit transition period on 31 December 2020 the case is also a useful reminder of the changes to data protection enforcement that will occur following Brexit. Since Marriott’s data breach was reported before the UK had left the EU, the ICO was able to investigate, and impose a penalty, on behalf of all EU authorities in its role as lead supervisory authority under the GDPR.
However from the end of the transition period the EU GDPR will no longer apply to the UK and so although the obligations for UK businesses will remain vastly the same as a result of the UK Government transposing the EU GDPR into UK law, the ICO will lose its ability to act as a lead supervisory authority within the EU. This means that where data breaches occur affecting both UK and EU individuals, as happened with Marriott, there is the possibility of a dual investigation being carried out from both the ICO and also the relevant authority within the EU, although the impact of this is still subject to confirmation.
Get in touch with a commercial solicitor in Manchester
If you would like any advice on how to make sure your business is compliant with data protection laws please contact associate Rebecca Bainbridge on 0161 838 7986 or email rebeccabainbridge@kuits.com.