- Just one day after its notice of its intent to fine British Airways £183.39 million, the ICO has issued a further notice of intent to fine Marriott International £99.2 million for its own data breach;
- The systems of the Starwood hotel group were originally compromised in 2014, prior to the acquisition of Starwood by Marriott in 2016 – the breach itself was not discovered until 2018 following completion of the corporate acquisition;
- The fine shines a spotlight on the importance of data and cyber due diligence in corporate transactions;
- No details have yet been published by the ICO regarding the specific GDPR infringements involved;
- Marriott now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.
Back in 2014, the guest reservation system of the Starwood group of hotels was compromised, exposing the personal data of approximately 339 million guest records globally, of which around 30 million related to residents of 31 countries in the European Economic Area. Seven million of those related to UK residents.
In 2016, the Starwood group was then acquired by Marriott International but the data breach was not discovered until 2018 and reported to the ICO in November 2018.
At the time, it was reported in the press that the information exposed involved some combination of: name; address; phone number; email address; passport number; account information; date of birth; gender; and arrival and departure information. Encrypted payment information was also attached to some records.
Implications for corporate M&A
One interesting aspect of the Marriott scenario was the fact that Starwood was acquired by Marriott in 2016 during which time the breach was ongoing but did not appear to be uncovered by any due diligence undertaken at the time of the acquisition. The ICO statement refers specifically to the due diligence process and the regulator’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood.
It therefore seems likely that we can expect to see much more focus going forward on data and cyber due diligence in the context of corporate acquisitions. This is likely to translate into a greater and more detailed set of questions being asked by potential purchasers, both at a legal and technical level – and an expectation that such diligence would actually expose a cyber incident that was in progress. In response, seller and target entities are going to need to work hard to get their houses in order prior to the sale process, in order to be able to respond appropriately and effectively to diligence questions on data protection compliance and cyber security.
The focus on diligence and data/cyber risk is also likely to read through to the sale and purchase documentation itself, even more so than it does at the moment. Discussions around data and cyber warranties are likely to become particularly contentious.
It may also prompt a re-think has to how the risk can be managed. Historically, one approach was to ring-fence some of the purchase price in escrow, only to be released after a period of time when the parties are satisfied that no data or cyber issues have come to light post-completion. However, while this might have worked effectively when the limits for the fines were £500k (likely a relatively small percentage of the purchase price), it is not so practical when fines in the 100s of £millions might arise in the future. It remains to be seen how this will fall to be dealt with. It is worth noting that insurance solutions are being increasingly used, and are always worth considering, although it is not clear how easily they could address a significant known cyber problem.
As with the BA notice of intent, the ICO has not yet published the full details of its enforcement. In particular, it hasn’t published details regarding the specific infringements in question or details of how it calculated the level of fine.
Much of the technical detail around how the incident occurred is not yet in the public domain. However, it has been widely reported that a nation-state actor is likely behind it, not least because of the extended period between compromise and detection, but also because it is well documented that data on who is travelling and staying where has value to intelligence agencies. If it is indeed a nation state attack, the magnitude of the fine answers the often-posed question as to whether data privacy regulators will levy fines in relation to such attacks and whether they are seen as being preventable, notwithstanding the advanced and persistent nature of the threat.
The enforcement action itself has also not yet been finalised and Marriott will now have the opportunity to make representations to the ICO as to the proposed findings and sanction. The ICO will then consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision. This could mean that the final level of fine is different to today’s announcement.
Even if the final fine does remain at its current intended level, it seems likely that Marriott would appeal, a process which would take some considerable time, meaning that the fine itself is unlikely to be paid any time soon.
Whatever the outcome of the enforcement, it is clear that the ICO has woken up to GDPR enforcement activity with a bang and today’s notice of intent is likely to have direct consequences not just in relation to data and cyber security practices, but also more broadly across corporate mergers and acquisitions as a whole.