Another record breaking GDPR fine announced

Yesterday (9 July) the Information Commissioner’s Office announced its intention to fine the international hotel and hospitality company Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).

This is the second such multimillion pound penalty announced by ICO this week – the first related to British Airways.  It is an intention to fine at this stage – the ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.  But the magnitude of the proposed fine indicates the very serious nature of the breach of the GDPR.

The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is thought the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.  Following a detailed  investigation ICO found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

In announcing the proposed fine the UK Information Commissioner herself noted: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.  Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

The ICO has noted that Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light.   In response Marriott International commented: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.  We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”   The Starwood guest reservation database that was attacked is no longer used for business operations.

As in the British Airways case the ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.  If there is a no deal Brexit the ICO in the UK will no longer have such a role but the Government has made clear the GDPR will still apply in the UK.

Implications for business

Businesses need to wake up to the fact that the days of a cap on data protection fines of £500k are now history in the UK.  Serious breaches of the GDPR affecting large numbers of data subjects will now attract very significant fines.  ICO’s powers extend to fining an organisation up to the greater of Eur20m or 4% of worldwide group turnover.  But the liability doesn’t end with fines.  There’s the reputational damage, the legal and administrative costs in dealing with the matter  and perhaps most ominously the threat of class action data breach lawsuits on behalf of affected data subjects.  If millions of data subjects are affected the claims here can easily outstrip the level of any fines.  For example in a 2016 case where damages for distress for breach of the Data Protection Act were awarded against the Home Office the damages ranged from £2,500 to £12,000 per person.  In this case the Home Office appealed but lost – with Lord Justice Gross pointing out at the start of the judgment: “A hallmark of today’s world is the ease with which departments of State and large private organisations can collect, store and utilise vast quantities of data…. this appeal highlights the perils of the misuse of private and confidential data, and the processing of personal data in breach of the statutory requirements.”

The other interesting aspect of the Marriott International case is that Marriott were not the initial source of the problem – they inherited it when they acquired Starwood.  Following the Starwood acquisition they would have become the new data controller and so liable under the GDPR  – ironically if Marriott had discovered the problem earlier and notified the matter and dealt with it internally before 25 May 2018 they would only have been liable for a fine of up to £500,000 as regards the UK – although the risk of class action law suits would have remained.  It also highlights the need for proper GDPR and information security due diligence in corporate acquisitions.

The GDPR is over a year old.  It has real teeth.  Businesses mustn’t be complacent.  Compliance remains key.  And this matters when you are acquiring data assets as well, as Marriott International have found out to their cost.

NB: The ICO has just published its annual report for 2018/2019 calling it an “unprecedented year”.