By Malcolm McBratney, Partner, Scott Coulthart, Special Counsel and Teneille Meyer, Lawyer
On 9 July 2019, the European Union’s Information Commissioner’s Office (ICO) announced its intention to fine Marriott International, Inc more than £99 million under the European Union’s General Data Protection Regulation (GDPR) for a data breach.
This announcement came just one day after the ICO announced its intention to fine British Airways £183.39m under the GDPR (as we reported last week).
Marriott Data Breach
The proposed fine to be issued to Marriott relates to a cyber incident which was notified to the ICO by Marriott in November 2018. Personal information (including credit card details, passport numbers and dates of birth) contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area.
It is reported the vulnerability began when the systems of the Starwood Hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.
The ICO found that Marriott:
- failed to undertake sufficient due diligence when it bought Starwood; and
- should also have done more to secure its systems after the acquisition.
Information Commissioner Elizabeth Denham said:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.”
- The GDPR is broad-reaching. The ICO’s intention to fine a US company shows that entities operating outside of the EU can still be caught. Australian companies are just as vulnerable.
- Do proper privacy and data due diligence. The ICO specifically commented on the importance of companies conducting adequate due diligence when making acquisitions and inheriting systems and data. Clearly, the ICO will not ‘go easy’ even if the breach occurred pre-GDPR (i.e. before 25 May 2018). Companies need to be aware of the systems they have, or will have, in place.
- Secure your systems. After acquisitions, buyers must take steps to fix any identified issues that implicate the security of data. The ICO stated that companies will need to prove they have taken “appropriate technical and organisational measures” to comply with their privacy obligations. While it is one thing to be aware of any security issues, it is another to address them.
The ICO’s two recent intended fines are the first indications that the ICO is willing to exercise its enforcement powers to the fullest extent possible.
We will remain abreast of the latest reports from the various privacy regulators and keep you informed.