Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • D A T Green
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina James
    • Maria Constantin
    • Sophia Yakhno
    • Rachael Machado
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Inherited GDPR breach still leads to a record fine for Marriott

November 3, 2020By Preiskel & Co

A mere two weeks from the record-breaking British Airways information Commissioner’s Office (“ICO”) £20million fine, Marriott has been handed the second highest General Data Protection Regulation (“GDPR”) penalty at £18million. A striking similarity between the two fines is the steep discount from the original figure (£99.2million) from the ICO’s intention to fine notice dated from July 2019.

Marriott has not admitted liability for the breach, and indeed the hack originally started in the Starwood Hotels and Resorts Worldwide Inc. network in 2014, before Marriott had even offered to acquire the company. The penalty issued at the end of last week, however, only relates to the breach from 25 May 2018 when the new GDPR came into effect.

In their assistance with the investigation, Marriott has estimated that 339 million guest records worldwide were affected following the attack in 2014. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott. This has been the source of some discussion as to whether the breach was identifiable during due diligence for purchase. There have been arguments made as to whether Marriott, as an inherited owner of the security failings was being treated fairly by being fined such a significant amount. This was especially pointed when the original notice was for such a large amount, £99.2million. It is worth highlighting that the final decision notice from the ICO does not state whether Marriott would have been able to conduct a due diligence to find the security breach in their acquisition process.

As the breach was dated from before the UK was to leave the EU, and approximately 7 million of the personal data records related to UK data subjects, the ICO led the investigation on behalf of all EU authorities under the GDPR. This is key as the penalty and action taken by the ICO have been approved by the other EU Data Protection Authorities in accordance with the GDPR’s corporation process. To add to their woes, Marriott is also dealing with a separate London class action from the many former guests demanding compensation, as the personal data that was accessed in the breach had included names, email addresses, phone numbers and unencrypted passport numbers among other things.

The ICO found in their investigation that the failure of Marriott to instigate and put into place appropriate technical or organisational measures to protect personal data lead to the increased risk of a breach as required by the GDPR. Representations by Marriott evidencing their penetration testing, and that the use of the Starwood legacy system was to soon be halted, were not accepted as sufficient or a reason to lessen liability.

As a step in the regulatory process the ICO took into consideration Marriott’s actions once they had been informed of the breach. The ICO considered the mitigation Marriott undertook to lessen the impact of the incident and the significant difficulties the company was facing due to COVID-19. It was specifically noted in the report that Marriott acted swiftly to notify customers and the ICO once the breach had been brought to their attention, and that the company has since implemented multiple measures to improve the security of their IT systems.

Following the Marriott representations, the ICO proposed a final fine of £28million. The figure was then discounted by 20 percent to account for the company putting mitigating measures in place and making multimillion-pound security investments in the IT systems reducing the figure to £22.4million. A further 4 million-pound reduction to account for the impact of the COVID-19 pandemic was applied, to reach the final figure of 18.4 million pounds.

As with the British Airways fine, the ICO is demonstrating that there are significant reductions available for companies that demonstrate willingness to cooperate with the regulators, enabling swift communication to affected parties, mitigation of impact of the breach and remediating any damage suffered by the individuals. They may also be opening the door for significant delays in issuing final penalty notices due to lengthy representations by the companies. Marriott’s representation was subject to four extensions for time. Despite the length of the process, it is worth highlighting that there was no such delay in notification of the ICO at the outset, or in contacting customers. These actions and application of the GDPR principles are still a guiding force in how the ICO views the actions of any company that is subject to a breach.

Please contact Jose Saras and Joanna Coombs-Huang if you have any questions relating to data protection policies and procedures.

The material contained in this article is only a general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.

Latest Preiskel & Co blog posts
  • New EU rules to boost IoT data sharing: the EU Data Act
    March 30, 2023
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data
    March 28, 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets
    March 22, 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape
    March 22, 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill
    March 17, 2023
  • Stormy weather for cloud computing in the EU
    March 16, 2023
  • Inmarsat Takeover Provisionally Cleared for Take-Off
    March 10, 2023
  • EDPB’s Feedback on the New EU-U.S. Data Privacy Framework
    March 6, 2023
  • UK Data Reform Bill to return to the House of Commons
    March 3, 2023
  • DCMS Publishes New Security and Privacy Principles for App Store Operators and Developers
    February 16, 2023
  • DPO’s Dismissal & Conflicts of Interest Under The EU GDPR – CJEU Ruling
    February 14, 2023
  • ICO – Change of Deadline for Reporting Breach Notifications for Communication Service Providers
    February 6, 2023

The Preiskel Blog

  • New EU rules to boost IoT data sharing: the EU Data Act 30 Mar 2023
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data 28 Mar 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets 22 Mar 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape 22 Mar 2023

Preiskel news

  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, will be a panellist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
  • Ronnie Preiskel chosen to judge 24 May 2023 The Tech Capital Global Awards
Preiskel tweets
  • New EU rules to boost IoT data sharing: the EU Data Act. Find out more at: https://t.co/1OUHlssIOB2 days ago
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data. Find out more here: https://t.co/bJkvPBvj6F4 days ago
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill. Find out more: https://t.co/3BHP1xq69Y10 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy