On 30 October 2020, the Information Commissioner’s Office (the “ICO”), which is the U.K.’s data privacy regulator, fined Marriott International, Inc. £18.4 million for breaching the provisions relating to data security in the General Data Protection Regulation (“GDPR”). This fine, although large, was significantly less than the sum of £99m which the ICO had initially indicated they planned to fine Marriott in July 2019. Marriott have 28 days in which to appeal. The case is of interest not only as the second largest fine issued by the ICO to date but also because of the approach taken by the ICO is assessing the security breach and its calculation of the fine – justifying the reduction from its initial indication. In addition this was a case where the ICO was the lead authority for the European Supervisory Authorities who have agreed with the ICO’s approach and report. The fine will end up entirely in the hands of the U.K. Treasury, notwithstanding that it represents a penalty for a breach of security relating to individuals in many EEA countries. The case also highlights the risk a purchaser of a business takes on for security breaches that pre-date the acquisition and the critical importance of effectively taking ongoing cybersecurity measures in data-intensive businesses, even if the purchaser intends to retire the IT systems it has acquired.
Starwood Hotels and Resorts Worldwide Inc. was subject to a cyber-attack in 2014 from an unknown source which remained undetected until September 2018 during which time the attacker had widespread access to Starwood’s guest card holder data. In September 2016 Marriott acquired Starwood and, in September 2018, an alert was triggered in the Starwood IT system indicating the presence of an intruder. The attack was reported to the ICO in November 2018. Marriott estimated that 339 million guest records worldwide were affected, of which around 30 million related to individuals residing in the EEA and 7 million to U.K. residents (note one individual could have several guest records so this is not the number of individuals affected – even so a considerable number of people were affected). The fine was levied under the GDPR and only related to the period from 16 May 2018 – not to the previous four year period which would have been subject to the Data Protection Directive 95/46 and in the U.K., the Data Protection Act 1998, in respect of which fines were very much lower (the maximum fine then being £500,000).
The personal data involved included all or some of guest’s names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. Despite the access to this data, the ICO is not aware that any individual has suffered any actual financial harm but decided that some must have suffered distress.
The Starwood IT system was outsourced by Starwood to Accenture (whose intruder alert triggered this process). Before and during the acquisition, Marriott undertook some technical due diligence of the system which failed to identify the system flaws which allowed the intrusion. After the acquisition, Marriott kept the Starwood system separate from its own and was intending to discontinue use of the system once it had integrated relevant parts of it and data onto its system. In the meantime, it enhanced the security of the system – but without identifying the attack.
The ICO’s findings
Although the ICO agreed that Marriott:
- acted promptly to contact customers and the ICO;
- co-operated fully with the ICO;
- mitigated the risk of damage suffered by customers;
- put in place effective measures to protect those individuals whose data had been compromised;
- has since instigated a number of measures to improve the security of its systems,
it found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR. In particular it remarked that Marriott should have adopted better monitoring of user activity as an additional layer of security and identified the following failings:
- insufficient monitoring of certain accounts;
- insufficient monitoring of databases within the Starwood card holder data environment;
- lack of control of critical systems;
- inadequate encryption of data.
It is important to remember that as these findings relate to a relatively short period since the coming into force of GDPR, the fine did not relate to potential failings at the time it purchased Starwood, for example to Marriott’s technical due diligence process failing to spot security flaws in an acquired legacy system on the acquisition.
In addition, the ICO refuted Marriott’s claim that it was seeking to impose an “...impossibly high standard of care…” in relation to an area where there were “…no clear standards…” and that in any event Marriott heavily relied upon its outsourcing partner Accenture to provide appropriate security. On this last point, the ICO pointed that it was Marriott who, as controller of the data, was responsible for ensuring its security and it could not escape that obligation by passing it to a third party, even an outsourcing market leader such as Accenture who might be expected to offer state-of-the-art security measures. The fact that Marriott planned to retire the system was no excuse either. The ICO concluded that the fact “…that Marriott did not detect the Attack until alerted….is indicative of Marriott failing rigorously to test, assess and evaluate the effectiveness of its security measures…”.
The calculation of the fine
In July 2019, the ICO issued Marriott with a notice of intent to fine £99m. Subsequently pursuant to the regulatory process under the Data Protection Act 2018, Marriott made a number of detailed representations which the ICO considered along with the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.
The ICO’s Penalty Notice contains a detailed review of the process it undertook in concluding on a fine of £18.4m, which looked at the factors that Article 83 of the GDPR requires be taken into account in deciding on the amount of the penalty. In essence the size of this fine was driven by the extremely large number of people affected and by the ICO’s view that the infringement was caused by negligent behaviour. The fine was levied under both Article 5(1)(f) (which has a cap of 4% of worldwide turnover) and Article 32 (which has a 2% cap), but as the fine in actuality represents less than 1% of Marriott’s turnover this distinction (i.e. that between the amounts able to be fined for breaches of the two articles in play) was not regarded as a significant factor (in itself this distinction in the caps is interesting given the obligations under both Articles are very similar - both require the application of appropriate security). In the end, it is not easy to see a rational basis for determining an appropriate fine - there is a feeling that the fine was determined by sticking the ICO’s finger in the air, although the ICO rejected Marriott’s criticism that its approach was “wholly arbitrary”. The fine was eventually set at £22.4m but reduced as a result of the Covid pandemic to £18.4m.
It will be interesting to see if Marriott appeal – unlike fines for breach of competition law which are to some extent driven by measurable economic damage – it is difficult to see what theories of damage might validly apply to situations such as this, and it is not easy to discern what precedents have been set for determination of damages in future cases, except that the larger a business is the bigger the fine and that fines of around 1% of turnover may be towards the bottom end of the scale for data intensive businesses.
A number of interesting points arise from this Penalty Notice.
The ICO emphasises that the fine is not the result of Marriott’s failure to identify the flaws in the Starwood’s system upon its acquisition but rather its failure in a four-month period to “…rigorously to test, assess and evaluate the effectiveness of its security measures …”. Whilst this might be indicative of the ICO’s desire to use the GDPR’s penalty caps rather than those under the pre-existing law, it remains the case that, had Marriott’s due diligence upon acquisition identified the weaknesses in the system (and the fact that it had been compromised already), Marriott would likely not now be on the receiving end of an £18m fine.
Notwithstanding the previous comment, the decision highlights the importance of continuous risk assessment for security systems; a failure to do this (and in quite a specific way given Marriott had improved security in the system) appears to have been treated as being as negligent as not doing sufficient due diligence on the acquisition of the system in the first place. Considerable weight was put on the guidance provided to companies by the U.K. Government’s National Cyber Security Centre (NCSC) and the U.S. Government’s National Institute of Science and Technology (NIST).
The fact that Marriott relied on its outsourcing partner to provide security solutions did not provide much if any protection. Parties will want to look at their outsourcing contracts to identify which of the contracting parties should bear the liability for such fines (which under English law raises the issue whether an indemnity in respect of an administrative fine is enforceable as a matter of public policy).
The reduction in the potential fine to the actual fine followed a detailed administrative process whereby Marriott was able to put forward detailed arguments to defend its behaviour. On one analysis the mitigating steps Marriott undertake and its co-operation with the regulator resulted in a substantial reduction in the penalty.
The fine was significant despite the fact that the ICO was not aware that any of the individuals had suffered any financial harm and that its conclusion that some individuals had suffered distress was more an assumption than based on fact.
It is not easy to see the basis for the calculation of the penalty either at the initial indicative stage or in the end result, but it is clear that the ICO will not hesitate to seek substantial sums as fines including with a view to discouraging poor data protection practices and encouraging good ones.
However, whatever conclusions might be drawn from this, it is clear that companies will need to ensure that their information security systems are as good as they can be. This is particularly true of companies operating in data intensive industries such as this one in the leisure and hospitality sector.
© 2020 Brown Rudnick LLP
Prior results do not guarantee a similar outcome.
Brown Rudnick is a tradename of both Brown Rudnick LLP, a limited liability partnership organized under the laws of the Commonwealth of Massachusetts ("BR-USA"), and its affiliate Brown Rudnick LLP, a limited liability partnership registered in England and Wales with registered number OC300611 ("BR- UK"). BR-UK is a law firm of Solicitors and Registered Foreign Lawyers authorized and regulated by the Solicitors Regulation Authority of England and Wales, and registered with the Paris Bar pursuant to the 98/5/EC Directive. A full list of members of BR- UK, who are either Solicitors, European lawyers or Registered Foreign Lawyers, is open to inspection at its registered office, 8 Clifford Street, London W1S 2LQ, England (tel. +44.20.7851.6000; fax. +44.20.7851.6100).
Information contained in this Alert is not intended to constitute legal advice by the author or the lawyers at Brown Rudnick LLP, and they expressly disclaim any such interpretation by any party. Specific legal advice depends on the facts of each situation and may vary from situation to situation.
Distribution of this Alert to interested parties does not establish a lawyer-client relationship. The views expressed herein are solely the views of the authors and do not represent the views of Brown Rudnick LLP, those parties represented by the authors, or those parties represented by Brown Rudnick LLP.