Hot on the heels of the £139M fine for British Airways (see our post here) comes confirmation from the ICO that it has proposed a financial penalty of £99.2M for breach of GDPR arising out of a data security breach reported in November 2018 (see our previous post here). As a result of the hack, 339 million guest records (reported to include name and contact details, data of birth and passport number) were exposed worldwide.
The problems were identified in 2018, but it was found that the lapses had started in 2014 in systems operated by Starwood, which Marriott acquired in 2016. One of the key points made by the ICO was that Marriott did not undertake sufficient due diligence into Starwood’s systems upon or following the acquisition and it should have done more to secure the systems.
The basis of the calculation of the fine is unclear – the maximum that can be levied is 2% of global annual turnover or €10M (whichever is higher), and with Marriott’s worldwide turnover exceeding $20 Billion, it looks like a relatively low percentage has been adopted.
Another point to note is that, like the BA fine earlier in the week, the ICO is acting as the lead supervisory authority in co-ordinating the investigation across the EU and imposing sanctions on behalf of all other EU supervisory authorities (a role it will lose in the event of a no-deal Brexit).
The big takeaway must be the censure of Marriott in relation to a business they acquired. Clearly, an explanation that the problems lay in an acquired business and it took time for the buyer to bring the systems up to scratch will not wash. Corporate buyers need to be alive to the risks that an acquisition target needs to be checked thoroughly from both a compliance and technical perspective, either before or soon after completion of the purchase.