On October 30th, 2020, The Information Commissioner’s Office (“ICO”) announced its fine of £18.4 million issued to Marriott International, Inc., (“Marriott”) for violations of the General Data Protection Regulation (“GDPR”). This is a significant decrease from the proposed fine of £99.2 million announced by the ICO in July 2019 (see our previous article here) against the background of Marriott’s security breach reported to have lasted some four years between 2014 to 2018, with the fine relating to the breach only from the point at which the GDPR came into force in May 2018. It is the second largest GDPR fine levied by the regulator thus far, behind that imposed on British Airways. To date, Marriott has not admitted liability for the breach, but the major international hotel operator has indicated that it does not plan to appeal the decision.
In 2014, Starwood Hotels and Resorts Worldwide Inc. (“Starwood”) were victims of a cyberattack affecting an estimated 339 million guest records globally, with seven million records relating to individuals in the UK. The attack remained undetected until September 2018, by which time Marriott had acquired Starwood. The affected data included names, email addresses, phone numbers, passport numbers, arrival and departure information, and VIP status and loyalty program information. The malicious actor, rumoured to be connected to Chinese intelligence, though never unmasked, installed code on a device in the Starwood system and through malware gained remote access as a privileged system user which enabled it to infiltrate and take control of their systems. Marriott notified the ICO and affected individuals in November 2018, some two months after becoming fully aware of the nature of the breach. Two years on, Marriot has received a substantial fine for data breaches and has no doubt incurred substantial legal costs.
What should companies learn from this?
Prompt notification to affected data users and reporting to the ICO remain key
The GDPR and the Data Protection Act 2018 (“DPA”) requires that all organisations report personal data breaches to the ICO within a 72-hour period unless there is a reasonable explanation for not doing so. While the ICO accepted that in the circumstances Marriott acted promptly and so no breach of the Article 33 GDPR notification obligation had occurred, it did not accept the argument that Article 33 GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the ICO. The regulator reminded Marriott that a controller must be “able reasonably to conclude that it is likely a personal data breach has occurred.” (emphasis added).
No breach of the Article 34 requirement to notify data subjects of the breach was found but the ICO pointed to several shortcomings in Marriott’s approach, such as an accidental failure to include the phone number for its “dedicated call centre” in the email sent to data subjects. The ICO however acknowledged that Marriott took prompt steps on discovering the data breach to mitigate the effects of the cyberattack and to protect the interests of its guests by taking appropriate steps such as (i) creating a bespoke incident website in numerous languages, (ii) sending notification emails to data subjects, (iii) establishing a dedicated call centre, and (iv) providing web monitoring to affected data subjects. These factors usefully illustrate what the ICO will take into consideration when they are assessing how mitigation of personal data breach may affect overall culpability and the level of penalty.
Data controllers would do well to note that, while these factors will not always apply to every situation and are by no means exhaustive, they are instructive and should be borne in mind when seeking to remediate major data breaches. Nonetheless data controllers should ensure that they comply with the prompt reporting obligations, both in respect of those affected by the data breach and the ICO itself to avoid the wrath of the latter.
Implement appropriate technical and organisational measures that match the seriousness of the cyber threat – security and monitoring
The ICO found that Marriott had failed to put appropriate technical and organisational measures in place to secure personal data, as required under Article 5(1)(f) and Article 32 GDPR. The regulator identified four principal failures: insufficient monitoring of privileged accounts that would have detected the breach; insufficient monitoring of databases; failure to implement measures to reduce the vulnerability of the server (which would have restricted access to key aspects of their databases; and failure to encrypt certain personal data, including some passport numbers (only credit card data had been encrypted). It is unlikely that these measures would have prevented the attack, but the ICO’s reasoning is that they could have made earlier detection possible (and, it seems, limited access to differing types of data). Encryption is key, but an informed decision needs to be made about what is to be encrypted.
The international hotel operator sought to persuade the ICO that the sophistication of the attack should have been taken into account in determining appropriate enforcement action against it. The ICO rejected this, stating: “What the attack [sic] disclosed was the failure by Marriott to put in place appropriate security measures to address attacks of this kind and/or other identifiable risks to the system.”
In essence, the data controller is required to anticipate a sophisticated attack against its interests and those of the data subjects whose data it holds and processes. Anything less, with defensive measures to match, is simply not good enough. This appears to be a ‘wake-up call’ to that ever decreasing number of businesses for whom data breach is not already a key strategic risk that has to be mitigated properly by true cyber expertise which is properly resourced, and with appropriate board supervision and responsibility.
The fundamental importance of due diligence on acquisition
The Marriott data breach and subsequent fine raises the importance of conducting thorough due diligence by firms and organisations when they are intent on acquiring or merging with other firms. It is important that the IT and cyber security measures of the target firm are GDPR compliant and that any attempt to compromise them has been investigated to the point where any assertion that acceptable technical and organisational measures by the acquiring party have not been put in place can be rejected. Here Marriott appeared not know the vulnerabilities of what it had purchased. Though the ICO only ascribed liability to Marriott from May 2018, it is a timely reminder to firms to allow their cyber professionals (in-house or otherwise) to play an active role in any acquisition and merger negotiations, and even more so when the target is rich in personal data. Insurance will also be key and as the cyber insurance market matures so the insurance costing of risk should become the norm.
How did the ICO arrive at the Marriott fine?
The ICO applied the five-step process set out in its Regulatory Action Policy in calculating the fine imposed on Marriott. It first established that Marriott did not gain any financial benefit from the breach. However, the regulator considered distress to individuals, evidenced by the likely cancellation of payment cards (though there has been no evidence of actual financial loss), and the almost 60,000 calls received by Marriott’s call centre following the breach, and the failure to apply reasonable measures to maintain the systems affected by the breach especially given that Marriott is a large international hotel chain. The ICO therefore concluded that the data breach was serious and therefore must attract a significant fine.
The ICO arrived at a final fine of £28 million reduced by 20% to £22.4 million. The fine was further reduced to £18.4 million in light representations made by Marriott, steps it took to mitigate the impact of the incident, and the economic impact suffered by Marriott as a result of the COVID-19 pandemic. It also considered that Marriott had fully cooperated with the ICO’s investigation.
The reduction in the fine from the initial proposal is significant in this case as in the case of British Airways (“BA”). The world economy has been hard hit by the Covid – 19 pandemic, with the travel and tourism industry taking the biggest hit of all. The ICO has acknowledged that it took into consideration the impact of the pandemic when calculating and reducing both fines. Helpful though that is in the present, it will not provide long term relief for those failing to maintain the necessary organisational and technical measures to prevent a cyber breach or mitigate its effects.