ICO Announces Intention To Fine Marriott £99 Million

Hot on the heels of the announcement that it intends to fine British Airways £183.39 million for GDPR infringements, the ICO has now also announced its intention to fine Marriott International £99.2 million.

The fine relates to a cyber incident which occurred in 2014 but wasn’t discovered by Marriott until November of last year. It is estimated that 339 million guest records were exposed as a result of the incident, 30 million of which related to residents of countries in the EEA.

The background to the security breach is that in 2014 the IT systems of the Starwoods Hotel Group were compromised, but the exposure of customer records did not come to light at the time. Marriott International acquired Starwoods in 2016. However, it also failed to detect the security breach. The breach was finally spotted in the Autumn of 2018, when Marriott International made a notification to the ICO.

Commenting on the incident, the Information Commissioner, Elizabeth Denham emphasized that organisations must be accountable for the personal data that they hold and that this includes:

• undertaking proper due diligence when acquiring other companies;

• ensuring organisations assess what personal data they have acquired; and

• ensuring that such personal data is properly protected.

Marriott International had failed to undertake such steps.

WHAT CAN WE LEARN?

As well as making it clear that the ICO intends to make full use of its new fining powers under the GDPR, the Marriott International case also highlights the risks that can arise in the context of corporate acquisitions. In order to limit such risks, it is vital that purchasers give proper regard to data protection and IT security when carrying out due diligence on targets. It’s also important that:

• robust warranties are included in the acquisition documentation (accompanied by a sufficiently generous warranty period);
• caps on liability take into account both the levels of fines that can be imposed under the GDPR and the possibility of compensation claims from individuals.

If you’d like more information about the Marriott fine or want to know more about accountability under the GDPR in the context of acquisitions, please contact a member of Geldards’ Information Law Team.