A global hotel group has been fined after a four year old data breach was identified, even though the personal data was in different hands when the cyber-attack originally occurred.
In a penalty notice issued on 30 October 2020, the Information Commissioner’s Office has fined Marriott International Inc £18.4 million for failing to secure its customers’ personal data against cyber-attack.
As it happened
In 2014, the hotel group then known as Starwood suffered a cyber-attack on its IT system, in which approximately 339 million guest records globally were compromised. The breach was not identified at the time it happened.
Marriott acquired the group two years later in 2016, and the data leak was identified following the acquisition in November 2018, during which time the attackers had retained access to the personal data for nearly four years.
The ICO investigated Marriott, threatening the chain with a fine of £99 million due to its failure to undertake “sufficient due diligence” when it acquired Starwood.
Was Marriott really liable?
The ICO decided that Marriott had breached their obligation to process personal data in a manner that ensured appropriate security. Marriott did not appeal this decision and has not suggested that it intends to appeal the penalty notice, but did not admit any liability for the breach as it occurred prior to its control of the personal data involved.
However, upon further investigation by the ICO and following British Airways’ successful appeal to reduce its own fine from £183 million to £20 million, the ICO have also reduced the size of the fine against Marriott to £18.4 million.
In the British Airways case, which saw the largest fine ever levied by the ICO, the ICO took into account the British Airways’ subsequent steps to improve and invest in its security system, as well as the impact of the COVID-19 pandemic on their response to the breach.
The ICO has taken a similar approach to Marriott, acknowledging its prompt response on discovering the breach to contact the customers affected and notify the appropriate authorities including the ICO. Marriott has also implemented security measures since becoming aware of the breach that are more appropriate to the size of the company and the data it collects and holds.
Considering buying a business?
The Marriott case is important to note if you are considering purchasing another business. Some commentators have criticised the ICO’s decision to fine Marriott, even after the significant reduction in the fine, as it may serve to discourage businesses from growing through acquisition for fear of past unknown data breaches in the target company.
If you are seeking to acquire a company, your legal advisers will need to be aware of the potential future liability for you as purchaser if the target company suffered a data breach prior to the sale. Warranties and indemnities in the purchase agreement should be drafted in light of this risk.
However, it is interesting to note that, in the case of both British Airways and Marriott fines, neither proposed fines have been realised following either an appeal by the party at fault or on further investigation by the ICO itself.
It is not clear to what extent each of the factors considered by the ICO played in reducing the fines, but these cases have demonstrated that the ICO does appreciate mitigating actions by parties in breach.
Need a data specialist lawyer?