Having failed to secure millions of costumers' personal data, the UK Information Commissioner's Office has fined Marriott International Inc. £18.4 million for infringing the General Data Protection Regulation (EU). In light of the £99,200,396 penalty the Information Commissioner's Office initially intended to issue in July 2019, Marriott International Inc's final fine has been significantly reduced.
It is estimated that 339 million hotel guest records worldwide have been affected following a cyber-attack on Starwood Hotels and Resorts Worldwide Inc. ("Starwood") in 2014. In short, by installing a code (a so-called "web shell") onto a Starwood device, the attacker was able to remotely access Starwood's system and network as a privileged system user. The attacker obtained login credentials, as well as managed to export substantial amounts of data from Starwood's servers which included, inter alia, the hotel customers' names, passport numbers, phone numbers and email addresses. The attack was not detected until September 2018, by which time Starwood had been acquired by Marriott International Inc. ("Marriot").
In its issuance of the fine, the Information Commissioner, Elizabeth Denham, underlined that the General Data Protection Regulation ("GDPR") requires organisations to be accountable for the personal data they process, including the personal data they might process by reason of company acquisitions. The UK Information Commissioner's Office's ("ICO") investigation found that Marriot had failed to implement adequate technical and organisational measures to protect the personal data in question pursuant to Articles 5(1)(f) and 32 of the GDPR. According to the ICO, Marriot's failures were fourfold: (i) lack of monitoring of privileged accounts which would have detected the breach earlier, (ii) failure to monitor relevant databases, (iii) failure to implement preventive measures in order to reduce vulnerabilities and (iv) failure to encrypt personal data such as some passport numbers.
Although the cyber-attack was traced back to 2014, the penalty was calculated from the point at which the GDPR came into effect (May 2018). The ICO fined Marriott £18.4 million, which is significantly less than the initially proposed fine of £99,200,396 presented in July 2019. In reducing the fine, the ICO took into account the economic impact caused by COVID-19 on Marriott's business and Marriott's steps to mitigate the effects of the attack. Marriott was relatively swift in notifying the ICO, as well as its customers, when becoming aware of the attack. Marriot further instigated measures to improve the security of its system, such as disabling accounts, and implementing password resets and enhanced attack-detection tools.
It is worth noting that, simultaneously as issuing an intention to fine Marriott, the ICO also issued an intention to fine British Airways £189.39 million for comparable infringements of the GDPR. Similarly to Marriott's final penalty, British Airway's fine was reduced to £20 million. The ICO has, however, not provided any explicit explanation as to why the final penalties were so significantly reduced. In comparison with the largest GDPR fine issued so far, which is the €50 million fine received by Google Inc., the ICO's proposed fines may be considered excessive. On the other hand, the GDPR is intentionally designed to impose severe financial consequences for mistreatment of personal data as a preventive measure. It might be suggested that the ICO, as well as other EU supervisory authorities, may find it difficult to determine appropriate sanctions under the GDPR.
This case underlines the importance of ensuring appropriate organisational and technical measures when processing personal data. Under the GDPR Article 83(5), data protection authorities are entitled to fine a company up to 4% of its annual turnover for infringements of the GDPR. Although Marriott's initial fine was substantially reduced, it serves as a warning to organisations that data protection authorities are willing to impose fines equal to 4% of the infringing company's annual turnover. Moreover, in addition to investigating current violations of the GDPR, data protection authorities will take into account inherited violations by reason of company acquisitions. This was emphasised by the Information Commissioner Elizabeth Denham in the ICO's intention to fine Marriott:
"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."