Introduction

On 9 July 2019, the Information Commissioner’s Office (ICO) issued a notice of its intention to fine Marriott International £99,200,396 for its infringement of the General Data Protection Regulation (GDPR) following revelations of personal data breaches in November 2018. The fine came on the heels another fine by the ICO of £183 million against British Airways for similar breaches.  The two incidents highlight the need for organisations to develop a proactive culture of personal data and privacy protection

The breach 

The breach is believed to have begun way back in 2014 when the computers systems of Starwood Hotels Group were compromised. Subsequently, in 2016, Marriot International acquired Starwood. However, the breach was not discovered until September 2018 when Marriot International received information of an attempt to access the Starwood guest reservation database. The company quickly engaged security experts who confirmed that unauthorised access had been taking place on the Starwood network since 2014. 

It is believed that personal data of about 339 million guests has been stolen by hackers during the breach. 31 million of the affected guests are believed to have been residents of the European Economic Area with 7 million being UK residents. The information stolen concerned guests who had made a reservation including names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. The stolen information also included encrypted and unencrypted payment card numbers. 

After confirming the incident, Marriott International reported the incident to supervisory authorities including the ICO in November 2018. It also took remedial steps including notifying the affected customers, implementing additional security measures and offering a free annual monitoring programme on the payment cards of the affected customers. 

The fine

The ICO contends that Marriott International “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” Information Commissioner Elizabeth Denham added: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess, not only what personal data has been acquired, but also how it is protected.”

Some observers believe the fine of £99,200,396 was minimal considering the huge magnitude of the personal data breach. This could be attributable to the fact that Marriott International co-operated with the supervisory authorities during the investigation and quickly adopted new security measures. 

Conversely, Marriot International maintains its innocence and contends that the breach on its Starwood guest reservation database was entirely due to the work of criminal actors. It has vowed to contest the ICO notice. 

Lessons learnt

  • During corporate acquisitions, companies need to remember that personal data can both be both an asset and a liability. In the case of Marriot International, it is clear that during its acquisition of Starwood, the company inadvertently took over an ongoing data breach that will not only cost it money but has adversely affected its global brand, particularly in terms of customer trust. A data protection audit is necessary during corporate acquisitions to specifically examine issues concerning data security and data breaches.
  • Threats and vulnerabilities to information security keep evolving. A hacker only needs to be successful once to cause massive damage. The focus, therefore, should be developing an active culture of data protection and privacy security throughout the entire organisation. Clear privacy policies, data protection impact assessments, privacy by design and default, training of staff, constant monitoring, and review of security protocols are some of the measures that all organisations have prioritise as part of their corporate governance.
  • Organisations need to develop a well-thought-out cyber incident management plan. Organisations should practice their cyber incident management plans well in advance so stakeholders are aware of their responsibilities in the event of a breach.
  • Security protocols and technologies should be in place to enable organisations to be able to quickly become aware of personal data breaches or attempts on their systems. In the case of Marriot Hotels, the fact that the breach went on for four years before it was discovered is an indictment on the capabilities of the security protocols of their systems.
  • Once the security breach is confirmed to be in the category of a reportable breach, it is important to notify the supervisory authorities as soon as possible and to thereafter take all steps to fully cooperate with the investigations. Transparency during the investigations is a strong mitigating factor.
  • At the heart of an effective data protection and privacy security programme is the appointment of a competent and experienced Data Protection Officer (DPO) to oversee compliance with data protection and privacy laws and regulations.

Conclusion

Although the threat of huge fines is of serious concern to directors of large organisations around the world, their corporate governance priority should be on developing and implementing proactive data protection and privacy security programmes. A culture of data protection in an organisation goes a long way in building the trust of its customers and hence enhancing its brand. The appointment of a competent and experienced DPO is the foundation of an efficient data protection programme.