Following an extensive investigation, the Information Commissioner’s Office (ICO) has issued a notice of its intention to fine Marriott International the sum of £99,200,396 for infringements of the General Data Protection Regulation (GDPR). The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018.
A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.
It’s believed the vulnerability began when the systems of the Starwood Hotels Group were compromised in 2014. Marriott subsequently acquired Starwood Hotels Group in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood Hotels Group and should also have done more to secure its systems.
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, as well as putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it’s protected. Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.
The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions, the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.
Egress CEO Tony Pepper commented: “It’s really interesting that the ICO has issued a second intention to fine under the GDPR just one day after the British Airways news broke. The organisation has barely drawn breath between these two announcements that target two very well-known household names. The ICO has achieved maximum impact in showing the potential of its extended powers under the GDPR. The scale of both fines can leave no doubt in anyone’s mind that we’re now operating under very different standards than when the Data Protection Act was enforced. If it wasn’t clear before, it certainly is now. There can be no hiding place for organisations that fail to adequately protect customer data. If the British Airways announcement felt like the tip of the GDPR iceberg, the Marriott one has started to show how deep this problem really goes and what the ICO is willing to do in order to get to the bottom of it.”
Jake Olcott, vice-president of Government affairs at BitSight, stated: “These fines make it clear. Executives and Boards are responsible and accountable for cyber security. It has never been more important for them to understand and manage their organisation’s security performance just like they would manage any other critical business issue. When it comes to cyber security, ongoing briefings, regular reporting and performance metrics are no longer nice to have. Rather, they’re required.”
Rufus Grig, CTO at Maintel, observed: “Organisations like Marriott and British Airways are strong targets for cyber criminals because they possess vast amounts of high-value personal data that gives hackers a high return on investment. Every company is a target when it comes to cyber attacks, though. There only needs to be a single vulnerability to enable a breach. While cyber criminals will always find new ways of gaining access, there are ways in which to reduce risk and minimise the loss of data.”
Embellishing that last point, Grig explained: “Organisations must use robust IT systems with the latest security systems to tackle this. With the increase in Internet of Things appliances coming on to the now ubiquitous borderless networks, the attraction for hackers to attack will continue to grow. A priority for security teams will be to reduce the time to detect, contain and mitigate breaches. This is a key strategy given malicious actors are now very skilled in delivering multi-layered attacks using diversion techniques. The only way to go about this is applying emerging technologies like predictive analytics with techniques such as machine learning and modelling as another layer of the already complex security stack. As the saying goes, it’s always better to err on the side of caution.”
In conclusion, Grig said: “Businesses cannot promise to stave off every attack, but they can understand how attacks occur, what types of data is at the greatest risk and how to lessen the blow. While Marriott and British Airways are feeling the heat at the moment, the new data protection laws will give businesses more stringent guidelines to follow. By planning, identifying and defending vulnerabilities, firms can ensure they’re GDPR compliant.”
Jon Baines, data protection advisor at Mischon de Reya, observed: “News of the proposed fines for Marriott International and British Airways is remarkable for a number of reasons. First, and crucially, these are merely ‘notices of intent’. Most recent figures obtained by ourselves under the Freedom of Information Act indicate that nearly one-in-three ICO notices of intent are ultimately either cancelled or result in a lower final penalty.”
Baines continued: “Second, the legality and fairness of the ICO’s investigative procedure has come under serious and extraordinary challenge in the recent case involving Facebook, in which the latter is alleging bias, pre-determination and procedural irregularity. It’s quite possible that similar arguments will be aired in any challenge to these latest notices of intent.”
Baines went on to state: “Third, the notices of intent were announced initially not by the ICO, but by the recipients themselves under their market notification obligations. To this extent, the ICO’s hand has been forced, and it will definitely be hoping it has its factual and legal analyses right because the challenges heading its way are likely to be robust and costly.”
Fourth, the sums involved are huge. According to Baines, they’re “market-influencing”. He said: “Up until now, people were certainly concerned about the GDPR, but this news makes it very clear that fines arising from alleged non-compliance have become a major corporate risk factor. No-one should over-react to this news, but everyone should pay very close attention to developments.”