The final amount, whilst being a substantial fine, is a significant reduction from the Ł99.2m the ICO announced it intended to issue in its second notice of intent in
The breach is believed to have started when Starwood's systems were affected by a cyber-attack in 2014, giving the attacker access to a range of personal details including: names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status and loyalty programme numbers. Marriott, who acquired Starwood in 2016, uncovered the breach and notified the ICO in
The subsequent ICO investigation found that Marriott failed to process personal data in a manner that ensured appropriate security of the personal data as required by Article 5(1)(4) and Article 32 GDPR.
In its final penalty notice the ICO stressed that the decision relates solely to the period of the breach from
The ICO's decision
In reaching its decision, the ICO identified a number of security issues. The ICO acknowledged that while Marriott had taken steps to prepare for GDPR, this did not mitigate the failure to implement appropriate security measures in relation to the systems Marriott acquired. Marriott had proposed decommissioning the Starwood systems in early 2018, but this was delayed till the end of 2018.
Due diligence
Marriott's representations stated that it was only able to carry out limited due diligence on Starwood's systems and databases on acquisition. The ICO reiterated that as the decision only considered the period after the GDPR came into effect, no finding of infringement was made in relation to the purchase due-diligence undertaking. It also stated that the need for a controller to conduct due diligence in respect of its data operations is not a time-limited or a one-off requirement, particularly for a global business. Even if appropriate due-diligence had been undertaken at the point of acquisition, that would not have removed Marriott's obligation to ensure, on a continuing basis, that it complied with the GDPR. The ICO's statements highlight the need for purchasers to carry out thorough due diligence and obtain assurances from sellers of compliance with data protection requirements.
Draft Internal Procedure
Echoing the representations made by
COVID-19
Following the ICO's own published guidance on its Covid-19 approach the reduced fine includes a Ł4m reduction to take into account the impact of the pandemic on Marriott and more generally. In the circumstances, this does not appear to be a dramatic reduction of the level of fine ultimately issued.
Visit us at mayerbrown.com
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This
Mr Mark Prinsley
201 Bishopsgate
EC2M 3AF
Tel: 2031303001
Fax: 2031303000
E-mail: Mnoonan@mayerbrown.com
URL: www.mayerbrown.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source