ICO's second GDPR fine in as many days highlights importance of due diligence in acquisitions

Hot on the heels of the proposed British Airways fine, the Information Commissioner’s Office (ICO) today issued notice of its intention to serve a penalty notice (a fine) on Marriott International Inc (Marriott). The ICO intends to fine Marriott £99,200,396 following last year’s personal data breach whereby the data of around 339 million guests globally was exposed, with around 30 million records relating to residents of the European Economic Area, approximately seven million of which related to UK residents.

Why a Notice of Intention?

Under the UK’s Data Protection Act 2018, the ICO is required to provide a notice of intention giving the details of the proposed fine and the circumstances as to why the ICO seeks to issue it. Marriott will now have a minimum of 21 days to make written representations to the ICO on the proposed fine. Marriott’s Chief Executive Officer, Arne Sorenson, has already expressed Marriott’s disappointment in the notice of intent and confirmed it will dispute the notice and therefore make representations. With shares in Marriott dropping 1.9% this afternoon, Marriott will be hoping that its representations will be heard and the penalty notice reduced.

What does the fine relate to?

The proposed fine has been imposed following a cyber security incident that Marriott notified the ICO about in November 2018. Please see our blog where the incident is discussed in some detail. In simple terms, the incident commenced in 2014 when the Starwood hotels group systems were compromised, allowing the personal data of the 339 million guests to be exposed over a four-year period. Marriott acquired the Starwood hotels group in 2016, however the vulnerability and exposure of the guests data was only uncovered in 2018.

What did the ICO investigation find?

Whilst Marriott did co-operate with the ICO throughout the investigation and has since taken steps to improve the security of their systems:

  • Marriott did not undertake satisfactory due diligence when it acquired Starwood as this should have been uncovered in the acquisition process; and
  • Marriott should have had more robust security measures in place to ensure the security of the systems.
Two key takeaways from the two proposed fines?
  • When acquiring a business – you must undertake satisfactory due diligence.
  • You should have robust security measures in place to ensure the security of your systems.  The ICO have made it clear that they will not be tolerant of poor security procedures.

Today the ICO have demonstrated that they will impose larger and more substantial fines under data protection legislation on companies that have experienced data breaches, especially those that could have been prevented by steps such as improved due diligence and enhanced security measures.

Make no mistake - the ICO is showing that the legislation has real teeth and the proposes to use that legislation to the fullest extent.

For advice and assistance, please contact a member of our Data Protection team or contact our Data Breach Response Helpline on 0300 303 1019.

This article was co-written by Rachel Gillan.

Latest updates from @MacRoberts

  • Would you like to work at one of Scotland’s leading law firms? We currently have a number of opportunities availabl… https://t.co/atxn5NHzLj 21/06/2021
  • We currently have a vacancy for a Customer Due Diligence Administrator based in Glasgow or Edinburgh. Please shar… https://t.co/IXsvMkBnYa 18/06/2021
  • Maya Forstater received a lot of media attention around her tweets relating to her beliefs about sex, resulting in… https://t.co/VbDAGhzAqX 18/06/2021
  • Applications for our traineeships starting in 2023 are now open! Get your legal career off to the best possible sta… https://t.co/nx3WmygTTM 18/06/2021
  • RT @DundeeAndAngus: Leading Scottish commercial law firm, @MacRoberts has advised BAM on the ‘game-changing’ Atlantic Square development in… 16/06/2021
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… https://t.co/tqSQy4tRqG 16/06/2021
  • Self-employed status: What does the Uber case really mean? 🚖 Kenny Scott explains what the recent ruling means for… https://t.co/SIt6iBNYPx 16/06/2021
  • What is the Scottish #gin industry doing to improve #sustainability? Following #WorldGinDay celebrations over the w… https://t.co/P4d0oPh54U 15/06/2021
  • The European Commission has adopted & published versions of two new sets of Standard Contractual Clauses. What ch… https://t.co/c8nMQEo6uk 15/06/2021
  • What impact could Ireland High Court's decision to reject an action by Facebook to block an inquiry by the Irish… https://t.co/leiseQnxYe 14/06/2021
  • Wishing all of our followers a happy #WorldGinDay! ICYMI: Earlier this week, we were delighted to catch up with… https://t.co/OJ85qOwAhN 12/06/2021
  • We're #hiring! We have a #vacancy for a Senior #Solicitor or Associate to join our IP, Technology & Commercial team… https://t.co/YWbpcD0eFD 10/06/2021
  • Dealing with an employee's misconduct when that employee contends it is linked to a disability can be tricky - read… https://t.co/Gy1dLbrwPk 09/06/2021
  • MacRoberts' have launched a new IGTV mini-series, giving an insight into what it’s like to begin a legal career dur… https://t.co/yJ5RQRatPn 09/06/2021
  • Scotland's new #landownership transparency register - the Register of Persons Holding a Controlled Interest in Land… https://t.co/PrZ5AwH2Ej 09/06/2021