Guevara J Leacock and Michael Drury‘s article analysing the recent GDPR fine of Marriott International and what companies can learn has been published by Lawyer Monthly.
Here’s an extract from the article:
“On October 30th, 2020, The Information Commissioner’s Office (“ICO”) announced its fine of £18.4 million issued to Marriott International, Inc., (“Marriott”) for violations of the General Data Protection Regulation (“GDPR”). This is a significant decrease from the proposed fine of £99.2 million announced by the ICO in July 2019 (see our previous article here) against the background of Marriott’s security breach reported to have lasted some four years between 2014 to 2018, with the fine relating to the breach only from the point at which the GDPR came into force in May 2018. It is the second largest GDPR fine levied by the regulator thus far, behind that imposed on British Airways. To date, Marriott has not admitted liability for the breach, but the major international hotel operator has indicated that it does not plan to appeal the decision.
In 2014, Starwood Hotels and Resorts Worldwide Inc. (“Starwood”) were victims of a cyberattack affecting an estimated 339 million guest records globally, with seven million records relating to individuals in the UK. The attack remained undetected until September 2018, by which time Marriott had acquired Starwood. The affected data included names, email addresses, phone numbers, passport numbers, arrival and departure information, and VIP status and loyalty program information. The malicious actor, rumoured to be connected to Chinese intelligence, though never unmasked, installed code on a device in the Starwood system and through malware gained remote access as a privileged system user which enabled it to infiltrate and take control of their systems. Marriott notified the ICO and affected individuals in November 2018, some two months after becoming fully aware of the nature of the breach. Two years on, Marriot has received a substantial fine for data breaches and has no doubt incurred substantial legal costs.
What should companies learn from this?
Prompt notification to affected data users and reporting to the ICO remain key
The GDPR and the Data Protection Act 2018 (“DPA”) requires that all organisations report personal data breaches to the ICO within a 72-hour period unless there is a reasonable explanation for not doing so. While the ICO accepted that in the circumstances Marriott acted promptly and so no breach of the Article 33 GDPR notification obligation had occurred, it did not accept the argument that Article 33 GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the ICO. The regulator reminded Marriott that a controller must be “able reasonably to conclude that it is likely a personal data breach has occurred.” (emphasis added).
No breach of the Article 34 requirement to notify data subjects of the breach was found but the ICO pointed to several shortcomings in Marriott’s approach, such as an accidental failure to include the phone number for its “dedicated call centre” in the email sent to data subjects. The ICO however acknowledged that Marriott took prompt steps on discovering the data breach to mitigate the effects of the cyberattack and to protect the interests of its guests by taking appropriate steps such as (i) creating a bespoke incident website in numerous languages, (ii) sending notification emails to data subjects, (iii) establishing a dedicated call centre, and (iv) providing web monitoring to affected data subjects. These factors usefully illustrate what the ICO will take into consideration when they are assessing how mitigation of personal data breach may affect overall culpability and the level of penalty.
Data controllers would do well to note that, while these factors will not always apply to every situation and are by no means exhaustive, they are instructive and should be borne in mind when seeking to remediate major data breaches. Nonetheless data controllers should ensure that they comply with the prompt reporting obligations, both in respect of those affected by the data breach and the ICO itself to avoid the wrath of the latter.”
This article was originally published by Lawyer Monthly on 1/12/20. You can read the full version on their website.