Within a week of announcing its intention to fine British Airways £183.39M for infringements of the GDPR, the UK’s Information Commissioner’s Office (ICO) has issued a statement of its intention to fine US-based Marriott International Inc (“Marriott”) £99,200,396 for infringements of the GDPR.
This matter relates to a cyber security incident which was notified by Marriott to the ICO in November 2018. The incident is believed to date back as far as 2014 when the systems of the Starwoods Hotel Group (“Starwood”) (a hotel group acquired by Marriott in 2016) were compromised. This was not discovered, however, until 2018 (post acquisition by Marriott). The records of approximately 339 million hotel guests from across 31 EEA countries were exposed by incident.According to the ICO:
• Marriott “failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems” and
• “…organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
”Before the ICO issues its final decision, Marriott will have an opportunity to make representations as will the other concerned supervisory authorities in the EU. In a statement published in response, Marriott has indicated that it “intends to respond and vigorously defend its position.”
For more information please see:
This highlights the importance of prioritising and fully addressing GDPR and data processing enquiries as part of the due diligence process and, where appropriate, ensuring the necessary indemnities are in place. Post-acquisition the client (buyer) must also ensure that appropriate measures are put in place to safeguard the personal data acquired.