For the second time in as many weeks, the Information Commissioner's Office (ICO) has issued a significant fine for contraventions of the General Data Protection Regulation (GDPR). As with the £20 million penalty notice issued to British Airways on 16 October 2020, the latest penalty notice issued to Marriott International, Inc, at £18.4m, is a significant fine in its own right, but dramatically lower than the £99.2m the ICO indicated it was intending to fine the Hotel Chain on 5 July 2019.
The ICO's investigation concerning Marriott arose from the compromise of the Starwood Guest Reservation System, which had led to the exfiltration and suspected decryption of hundreds of millions of customer records (including passports and credit card details) worldwide by the hackers. Over thirty million of these records related to data subjects in member states of the European Economic Area (EEA), including the UK, and therefore within the jurisdiction of the ICO.
An account of the compromise is provided both in the Penalty Notice and the testimony of the President and CEO of Marriott International, Arne Sorenson, to the US Senate. Of particular interest, however, was the fact that the attack – which was identified in September 2018 – had its origins back in 2014, when vulnerabilities in the IT systems of the Starwood network of hotels (including the Westin, Sheraton, St Regis and W brands) had first been exploited. Starwood was acquired by Marriott in 2016 and, despite undertaking due diligence, these historic issues had not been discovered. (This also pre-dated GDPR coming into force, by a number of years, although the ICO makes it clear that its action is for the period following implementation of GDPR in May 2018).
In issuing the Penalty Notice, the Information Commissioner was satisfied that Marriott had failed to comply with its obligations under GDPR to ensure that personal data was processed in a manner that ensured appropriate security, using appropriate technical or organisational measures (see Articles 5(1)(f) and 32 of GDPR). The ICO noted that a lack of appropriate monitoring of user accounts and databases had contributed to serious security deficiencies and there was insufficient depth in defence of security to protect the systems and enable swift mitigation of any bypassing of the security controls. Further, the partial and selective encryption of data, without any supporting risk assessment or rationale, was criticised.
As with the penalty notice issued to BA, the Information Commissioner does not categorically use the proposed sum in the notice of intention to fine as a starting point, nor indeed is there any genuine attempt made to justify the £99.2m figure previously given to Marriott. Rather, the starting point for the fine is stated to be £28m, taking into account the nature of the breach and a number of other factors.
Remedial measures taken by Marriott, including notifications to impacted data subjects; establishing a dedicated call centre; providing web monitoring; engaging with card networks; and improving its technical and organisational measures, resulted in a 20% discount being applied and reducing the fine to £22.4m. Interestingly the same discount was applied to the BA fine, even though different remedial steps were taken, suggesting that this could be the maximum discount achievable for remedial measures.
Given the impact of the global Covid-19 pandemic, a further £4m discount was applied, bringing the final total to £18.4m. Unlike BA where a similar reduction was made on account of the financial hardship caused by the health emergency, the justification for this discount to Marriott was rooted more in a policy decision concerning the ICO's approach to fines at this time.
Marriott has indicated that it has no intention to appeal, although it denies any liability.
Inevitably, the BA and the Marriott penalty notices will both form the foundation of a new, evolving jurisprudential basis of GDPR enforcement by the ICO. The fact that both notices fail to engage with the headline-grabbing fines set out in the notices of intent to fine of last summer, however, suggests that we might have already seen an early shift in the future approach to fines and that the ICO might be more circumspect in setting indicative levels of penalties in initial notices. (It will be recalled that the notices of intent to fine in both cases were made public as a result of regulatory reporting requirements of both companies, rather than a proactive, overt display of muscular regulatory strength by the ICO.) Quite aside from the precise levels of fine, the notices themselves also serve up a number of key findings of fact, which could form the basis of future civil liability for both organisations and data subjects in the coming weeks and months.
For those businesses seeking to engage in M&A activity, however, the Marriott fine is a salutary reminder that, even if IT vulnerabilities of the target company may not have been properly uncovered during the due diligence process, then upon completion, as acquirer, you will become fully responsible for ensuring cyber resilience of the entire enterprise, including its legacy IT systems and network solutions.
Related coverage
Computer Weekly
National Technology News
Fire Safety Matters