In a recent press release, Marriott International announced that the UK Information Commissioner's Office (ICO) communicated its intent to issue a fine in the amount of £99,200,396 (over $124 million) against the company for infringements of the General Data Protection Regulation (GDPR) in relation to the Starwood guest reservation database incident.
What Happens Next?
Since this is a notice of an intent to fine, the proposed fine could change. According to Odia Kagan, partner and Chair of GDPR & International Privacy at Fox Rothschild, the ICO will soon hear representations, from Marriott and potentially other parties (like other data protection authorities) as to the findings and the size of the fine. These representations may affect the potential fine and mitigate it. This process may take several months. After this, the ICO will issue its actual decision.
Marriott will have the right to appeal the decision to the First Tier Tribunal (Information Rights) within 28 days of the decision, Kagan explains. The progression of any appeal is a matter for the tribunal. If the Tribunal decides that the Commissioner’s decision was wrong in law, or that she exercised her discretion wrongly, it can overturn the decision and issue a substitute decision notice. If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.
Is the ICO Sending a Message?
In its statement, the ICO said its "investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems."
The ICO's Information Commissioner Elizabeth Denham added: "The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
"Per Article 83 administrative fines under the GDPR are to be 'effective, proportionate and dissuasive,'" says Matt Wilson, Chief Information Security Advisor at BTB Security, a cybersecurity consulting firm. "So yes, the ICO is absolutely making an example out of Marriott, and they told everyone at least three years ago that they would. It has been well understood among privacy and security professionals that GDPR would first impact the large multi-national corporations which have the most means and largest data sets. Eventually this will trickle down to smaller companies, but this is exactly what was supposed to happen."
Divya Gupta, a partner at the international law firm Dorsey & Whitney, agrees. She says this should serve as a wake-up call to all hospitality businesses.
"This fine is a warning to companies that fail to protect private information from loss, damage or theft," Gupta said. "The fines are intended to encourage compliance because when entrusted with personal data, it’s a company’s job to diligently look after it, and for many years companies have gotten away with not doing so."
Additionally, although the data breach at Starwood began before Marriott acquired the company, the ICO is still holding Marriott responsible for not catching the breach prior to or during the acquisition process.
Collin Varner, Cybersecurity, Senior Associate of Schellman & Company, LLC, a global independent security and privacy compliance assessor, notes that the ICO's action could change the way hotels view mergers and acquisitions and the protocols they put into place when considering such an action.
"Organizations should take a lesson from Marriott when seeking a merger or acquisition and perform adequate due diligence on a company’s IT environment to ascertain the health of their information security practices," Varner notes. "Vulnerabilities that are identified should not only be remediated, but researched to ensure it was not exploited. Considering the breach initially occurred two years prior to Marriott absorbing Starwood, I believe we could see a change in how organizations approach partnerships and acquisitions to abstain from risks to company reputation.”
Do Hotels Only Need to Worry About GDPR Fines?
According to Doron S. Goldstein, partner, Co-Head – Privacy, Data and Cybersecurity Practice at Katten Muchin Rosenman LLP, this is quickly becoming a global issue. For instance, laws in South America, Asia, and elsewhere are either under discussion or already enacted.
"It is important to note that each regulator has its own independent right to enforce within its jurisdiction, so in the event of a data protection failure that impacts residents of multiple jurisdictions, the regulators in each of those jurisdictions can launch their own investigations and impose their own fines under their laws," Goldstein adds.
The United States is not immune to this practice either with several states imposing privacy laws similar to GDPR with heavy penalties. The California Consumer Privacy Act (CCPA) is one such law. (Read more about it here.)
According to Gupta, the CCPA imposes even heavier penalties than the GDPR. For example, in Marriott's data breach – 30 million Europeans were impacted. However, if this breach affected only three million California residents, the minimum domestic statutory penalties Marriott would be facing would be $300,000,000 – or double what the GDPR is levying against the company.
However, that's just the regulatory fine. CCPA also allows for individuals to bring class action lawsuits against a company. These lawsuits can "easily rise into the millions, and unlike regulatory fines which are often proportional to the size of the business, these don’t depend on the size of the company, only the number of individuals impacted: the same potential class action liability would exist for a company like Marriott or the owner/operator of a few properties, as long as they met the CCPA size thresholds," Goldstein notes.
"The lesson here: This GDPR penalty is a paltry sum, compared to what is looming," Gupta says.