Hot on the heels of the proposed British Airways fine, the Information Commissioner’s Office (ICO) today issued notice of its intention to serve a penalty notice (a fine) on Marriott International Inc (Marriott). The ICO intends to fine Marriott £99,200,396 following last year’s personal data breach whereby the data of around 339 million guests globally was exposed, with around 30 million records relating to residents of the European Economic Area, approximately seven million of which related to UK residents.

Why a Notice of Intention?

Under the UK’s Data Protection Act 2018, the ICO is required to provide a notice of intention giving the details of the proposed fine and the circumstances as to why the ICO seeks to issue it. Marriott will now have a minimum of 21 days to make written representations to the ICO on the proposed fine. Marriott’s Chief Executive Officer, Arne Sorenson, has already expressed Marriott’s disappointment in the notice of intent and confirmed it will dispute the notice and therefore make representations. With shares in Marriott dropping 1.9% this afternoon, Marriott will be hoping that its representations will be heard and the penalty notice reduced.

What does the fine relate to?

The proposed fine has been imposed following a cyber security incident that Marriott notified the ICO about in November 2018. Please see our blog where the incident is discussed in some detail. In simple terms, the incident commenced in 2014 when the Starwood hotels group systems were compromised, allowing the personal data of the 339 million guests to be exposed over a four-year period. Marriott acquired the Starwood hotels group in 2016, however the vulnerability and exposure of the guests data was only uncovered in 2018.

What did the ICO investigation find?

Whilst Marriott did co-operate with the ICO throughout the investigation and has since taken steps to improve the security of their systems:

  • Marriott did not undertake satisfactory due diligence when it acquired Starwood as this should have been uncovered in the acquisition process; and
  • Marriott should have had more robust security measures in place to ensure the security of the systems.
Two key takeaways from the two proposed fines?
  • When acquiring a business – you must undertake satisfactory due diligence.
  • You should have robust security measures in place to ensure the security of your systems.  The ICO have made it clear that they will not be tolerant of poor security procedures.

Today the ICO have demonstrated that they will impose larger and more substantial fines under data protection legislation on companies that have experienced data breaches, especially those that could have been prevented by steps such as improved due diligence and enhanced security measures.

Make no mistake - the ICO is showing that the legislation has real teeth and the proposes to use that legislation to the fullest extent.

For advice and assistance, please contact a member of our Data Protection team or contact our Data Breach Response Helpline on 0300 303 1019.