August 7, 2022

Volume XII, Number 219


August 05, 2022

Subscribe to Latest Legal News and Analysis

August 04, 2022

Subscribe to Latest Legal News and Analysis

Marriott Cyberattack Fine Reduced as ICO Shifts Penalty Policy

On 30 October 2020, the UK’s data privacy regulator, the Information Commissioner’s Office (ICO) issued a final penalty notice (Penalty Notice) to fine the hotel chain Marriott International, Inc. (Marriott) for a GDPR data breach caused by a sophisticated hacking of its systems. In a strikingly similar fashion to the recent British Airways (BA) GDPR final penalty notice, Marriot received a near-record breaking initial fine of £99.2 million. Following more than two years of representations, the fine has been cut by over 80% to £18.3 million as a result of co-operation, mitigating factors, and a revision of the ICO’s turnover-centric approach to calculating fine amounts. The Penalty Notice is also a reinforcement of the ICO’s message that all data controllers, regardless of the primary service they provide, must have adequate and up-to-date security measures in place to prevent data loss through sophisticated cyberattacks.

The Breach

The ICO was notified by Marriott in November 2018 of an incident that exposed approximately 339 million guest records worldwide over a period of four years due to a sophisticated hacking of recently acquired subsidiary Starwood Hotels group. Starwood Hotels experienced a cyberattack in 2014, through which an unknown hacker had installed code on the Starwood computer systems, giving remote access to view and edit data on the network. Marriot acquired Starwood in September 2016 but failed to discover the customer information exposure until November 2018. During this period, an estimated 30 million residents of the European Economic Area (EEA) were affected, along with seven million UK residents. The personal data affected included unencrypted passport details, phone numbers, booking information and credit card data.

The ICO held that there were several distinct weaknesses in the security systems that Marriott ought to have identified and remedied in the four months between the GDPR coming into force and the ICO being notified of the data breach. There were multiple failings from a security perspective, including failing to sufficiently monitor privileged accounts and databases, and encryption failings. The breach serves as a reminder of the importance of effective due diligence in the run up to an acquisition involving any large-scale processing of data and ensuring that any issues raised are quickly acted upon.

Mitigating Factors

In the Penalty Notice £28 million was identified as an appropriate starting point to dissuade future GDPR breaches and to proportionately penalise Marriott. A reduction of 20% to £22.4 million was made considering Marriot’s full co-operation with the investigation, widespread reporting of the attack raising awareness of ongoing GDPR obligations, and to account for financial loss already incurred through reputational damage. A further reduction to £18.4 million due is credited to the adverse impact of COVID-19 on the hotel business.

Similarities With BA Breach

Like the BA notice, the dramatic decrease between the initial and final fine is a result of the ICO’s shift from reliance on an unpublished, turnover-centric policy in calculating fines. Both BA and Marriott argued it was unlawful to rely on an unpublished policy and that there is no logical relationship between a breach involving a malicious attack and turnover, as the entity hacked does not profit from the breach. The ICO responded in both cases by relying less heavily on turnover as an indicator but refusing to rule out its continuing importance alongside other factors.

The ICO has also reinforced its approach to require high standards from all data controllers regardless of their area of business. BA and Marriott process large volumes of personal information, including sensitive data, and so must have a duty to ensure adequate systems are in place to protect data from sophisticated hackers. The ICO highlights the importance of constant monitoring and stress testing of security systems to ensure this goal is achieved, particularly when acquiring new systems or businesses.

© 2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 314

About this Author

Huw Beverley-Smith Transactions Lawyer Faegre Drinker

Huw Beverley-Smith advises customers and suppliers on a wide range of international transactions and regulatory issues, including technology, telecommunications and business process outsourcing, complex services agreements, intellectual property ownership and licensing. He counsels clients on privacy and cybersecurity issues and helps navigate regulatory hurdles and operational and commercial risks. Huw is the author of several books and articles on intellectual property and privacy, including "Rights in Data and Information" in the Oxford Handbook of Intellectual...

+44 (0) 20 7450 4551
Charlotte H.N. Perowne International Transactions & Regulatory Issues Faegre Drinker Biddle & Reath London, UK

Charlotte Perowne advises clients on a wide range of international transactions and regulatory issues, including technology transactions, outsourcing, intellectual property ownership and licensing, data privacy, and cybersecurity. Charlotte helps clients navigate U.K. and EU data protection and other regulatory risks and advises international clients across a range of industries on commercial projects and international transactions.

Past Experience

Prior to her time with Faegre Drinker, Charlotte was a trainee solicitor with CMS Cameron Mckenna Nabarro Olswang, gaining...

44 (0) 20 7450 4532
Trainee Solicitor

Fred Kelleher advises clients on emerging legal and regulatory trends relating to labor and employment, with an eye toward supporting businesses in efforts to expand their workforce and deepen their presence across markets.

Previous Experience

Fred launched his career as a corporate paralegal at Goldman Sachs, assisting clients on regulatory and transactional matters. Fred then moved into a similar role on the investment funds team of an international law firm, where he advised general managers on fund formation and fund raisings. His last role prior to joining Faegre...

44 (0) 20-7450-4564