The Information Commissioner’s Office (ICO) spent the summer flexing its newly acquired GDPR muscles, with one of its primary targets, Marriott International Inc. (“Marriott”) subject to an intention to fine notice of £99,200,396 for infringements of the regulation.
The fine relates to a breach of the Starwood hotel's guest reservation database, meaning unauthorised access was present all the way back to 2014. Marriott acquired Starwood in 2016, but the unauthorised access was not discovered until 8 September 2018.
Over this period, the truly colossal amount of 339 million guest records were exposed by the incident. The ICO reported around 30 million of those related to EEA residents, and 7 million related to UK residents.
ICO considered that Marriott had failed to conduct sufficient due diligence when purchasing Starwood, and failed to ensure the security of its systems, and those it was acquiring.
Marriott will not have to open its wallet just yet. This is an intention to fine, and Marriott will have the chance to make representations as to the proposed findings and sanctions. The proposed fine reflects the new ability under GDPR to fine companies up to 4% of global turnover (the previous maximum was only £500,000). Given that Marriott’s revenue last year was $20.758 billion (£16.679 billion), the fine could have been significantly higher.
The ICO noted that Marriott had co-operated with the investigation and made improvements to its security arrangements since discovering the breach.
Most people are aware of the large fines possible for breach of data regulations. We do not yet have a final decision notice from the ICO and this will take time to be released. What can be gleaned now is that data must not be an afterthought in the due diligence process. Purchasing businesses need to be confident their target handles data robustly, and do not have any potentially expensive holes in their security systems.
As well as this significant fine, Marriott have been subject to similar decisions in Turkey, and could face other sanctions in several jurisdictions. Given a number of jurisdictions outside the EU have upgraded their data protection legislation towards the GDPR standards, the cost of global breaches could cause great damage to a balance sheet.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.