The day after the intention of the UK’s Information Commissioner’s Office (“ICO”) to levy a record £183.39 million fine against British Airways was announced, Marriott International announced to the US Securities and Exchange Commission that the ICO intended to fine it £99.2 million. The proposed fine relates to the personal data breach Marriott originally announced in November 2018 regarding security vulnerabilities within the hotel group Starwood which the ICO state resulted in exposure of approximately 339 million guest records globally.
Businesses should note that super fines now appear to be the norm under the GDPR for significant personal data breaches that the ICO investigates. The fact that Marriott highlighted that this personal data breach resulted from a criminal attack is immaterial given the attack also involved the exposure of approximately 9.1 million unique encrypted payment card numbers, 5.25 million unique unencrypted passport numbers and 18.5 million encrypted passport numbers.
This particular case also emphasises the importance of undertaking thorough technical due diligence when purchasing any target. Marriott purchased Starwood in September 2016. Marriott stated on 30 November 2018 that they only received an alert regarding the incident on 8 September 2018 and “there had been unauthorized access to the Starwood network since 2014“. Marriott are nonetheless being held responsible for security vulnerabilities that were exploited two years before they purchased Starwood. The ICO’s statement in response to Marriott’s announcement specifically states “that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems….[and purchasers must carry] out proper due diligence when making a corporate acquisition“. It also suggests the fact it took Marriott two years post-completion to discover the vulnerability and subsequent breach was an aggravating factor in the level of the proposed fine. Further details may become clearer once the ICO issues the formal Monetary Penalty Notice.
The proposed fine also highlights that purchasers should carefully consider the IT, data protection and privacy provisions that are typically found in the warranties schedule of a Sale and Purchase Agreement and the liability caps regarding and time limits for bringing a claim for breach of such provisions.
Following the Marriott and British Airways cases, controllers may wish to strongly consider liaising with their insurance brokers about the extent to which fines imposed by a regulator under the GDPR are backed off to their insurance coverage.
Press and social media reaction to the proposed fines on British Airways and Marriott should remind all controllers of the reputational damage and cost one can suffer if a cyber incident becomes public.