Hit "Enter" to search or "Esc" to close.

Your privacy is important to us.

This website uses cookies to help deliver its services. By using this website, you agree to the use of cookies as outlined in our Cookie Policy.

  • Home
  • Sectors & Solutions
    • Brexit Legal Support
    • Charities & Social Enterprises
    • COVID-19 Solutions
    • Energy & Renewables
    • InterTradeIreland Emergency Business Solutions
    • Manufacturing Law
    • Property Developers & Construction
    • Technology Law
  • Expertise
    • Banking & Finance
    • Commercial
    • Commercial Real Estate
    • Construction
    • Corporate & M&A
    • Data Protection
    • Dispute Resolution
    • Employment
    • Planning & Environment
    • Foreign Direct Investment
    • Insolvency & Business Restructuring
    • Intellectual Property & Technology
    • Personal Legal Matters
    • Private Equity & Venture Capital
    • Public Procurement
    • Public & Administrative
    • Tourism & Licensing
  • People
  • News & Insights
    • News
    • Legal Insights
    • Social
  • About
    • About Us
    • Clients
    • Corporate Social Responsibility
  • Join Our Team
    • Join Our Team
    • Trainee Programme
    • Why Choose Cleaver Fulton Rankin?
  • CFR HR
  • Get In Touch
Cleaver Fulton Rankin Solicitors, Belfast Logo
Contact
  • Sectors & Solutions
    • Brexit Legal Support
    • Charities & Social Enterprises
    • COVID-19 Solutions
    • eLearning
    • Energy & Renewables
    • InterTradeIreland Emergency Business Solutions
    • Manufacturing Law
    • Property Developers & Construction
    • Technology Law
  • Expertise
    • Banking & Finance
    • Business & Private Immigration Law
    • Commercial
    • Commercial Real Estate
    • Construction
    • Corporate & M&A
    • Data Protection
    • Dispute Resolution
    • Employment
    • Planning & Environment
    • Foreign Direct Investment
    • Insolvency & Business Restructuring
    • Intellectual Property & Technology
    • Personal Legal Matters
    • Private Equity & Venture Capital
    • Public Procurement
    • Public & Administrative
    • Tourism & Licensing
  • People
  • News & Insights
    • News
    • Legal Insights
    • Social
  • About
    • About Us
    • Clients
    • Corporate Social Responsibility
  • Join Our Team
    • Join Our Team
    • Trainee Programme
    • Why Choose Cleaver Fulton Rankin?
  • CFR HR
  • Get In Touch
Get In Touch

Marriott Data Breach results in ICO fine of £18.4million

< Back to Legal Insights

Background

The data breach in question arose from a cyberattack in 2014 on Starwood, a business acquired by Marriott.  339 million guest records globally were impacted and 7 million records related to data subjects in the UK. The attacker gained access to a wide range of information, including names, email addresses, phone numbers, passport numbers, arrival and departure information, and VIP status and loyalty program information.   Marriott became aware of the breach in September 2018 and made a breach notification to the ICO in November 2018.

ICO Decision

The ICO announced a fine against Marriott International Inc of £18.4million on 30 October 2020.  Whilst it is still a very significant fine, it was a substantial reduction from the original proposed fine of £99.2million announced by the ICO in its notice of intent in July 2019.  The fine reduction was expected though in light of the ICO’s similar fine reduction against British Airways from £183.39million to £20million.  The ICO highlighted that the fine related only to the period from 25 May 2018 when GDPR came in to force and that Marriott had acted promptly once it discovered the breach.

The ICO found that Marriott failed to process personal data in a manner that ensured appropriate security of the personal data as required by Article 5 and Article 32 GDPR.  The ICO identified four main security failures:

  • insufficient monitoring of privileged accounts that would have detected the breach;
  • insufficient monitoring of databases;
  • failure to implement server hardening as a preventative measure
  • failure to encrypt certain personal data, including some passport numbers.

On a positive note, the ICO did not find that Marriott had breached its notification obligation under Article 33 of the GDPR, nor had it breached its Article 34 requirement to notify data subjects of the breach, but noted that Marriott had accidentally failed to include a phone number for its dedicated call centre in its email to data subjects.

An interesting point made by Marriott was that it was only able to undertake limited due diligence when acquiring Starwood.  The ICO, however, gave this argument short shrift.  It made the point that the fine only relates to the period from May 2018 when GDPR came into force.  The ICO stated that the “need for a controller to conduct due diligence in respect of its data operations is not time-limited or a ‘one-off’ requirement” and that it is “no answer to claim that certain due diligence steps were, or only needed to be, taken in the period immediately after acquisition.”

Fine Level

The ICO adjusted the fine downwards and took the following mitigating factors into account:

  • Marriott’s full co-operation with the ICO investigation
  • The steps taken by Marriott to mitigate against the breach and prompt contact with data subjects
  • Marriott’s improvement and investment in security
  • The impact on Marriott’s brand and reputation
  • The economic impact of Covid-19 on Marriot which resulted in the ICO applying a further £4million reduction in the fine

Summary

Although the fine was significantly less than the previously announced proposed fine, it still demonstrates the impact of the ICO’s enforcement powers.  For any businesses involved in acquisitions, the case also highlights the importance of undertaking proper data due diligence in corporate transactions.

This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Data Protection team at Cleaver Fulton Rankin for further advice or information.


« Previous Article
Next Article »

Author(s)


Person Thumbnail

Aisling Byrne

Director

Email Icon    |    view profile

How can we help you?


Call us on the Belfast number below or send us a message and one of our team will be in touch.

028 9024 3141
Send us a Message

How can we help you?


Contact
GDPR Compliance *

Related Areas


  • Data Protection
  • Corporate & M&A
  • Brexit Advice
Cleaver Fulton Rankin Logo

Belfast Commercial Law Firm:

Cleaver Fulton Rankin,
50 Bedford Street,
Belfast, BT2 7FW

Tel: 028 9024 3141
E: info@cfrlaw.co.uk

Social Media Icon Social Media Icon Social Media Icon

Privacy Policy
Cookie Policy
Disclaimer

© 2021 Cleaver Fulton Rankin - Solicitors, Belfast
Created by WebsiteNI

Current Awards

Award
Award
Award

Social Media Icon Social Media Icon Social Media Icon

Privacy Policy    |    Cookie Policy    |    Disclaimer

© 2021 Cleaver Fulton Rankin - Solicitors, Belfast    |    Created by WebsiteNI

© 2021 Cleaver Fulton Rankin - Solicitors, Belfast    |    Responsible Business    |    Privacy Policy    |    Cookie Policy    |    Disclaimer    |    Created by WebsiteNI

Social Media Icon Social Media Icon Social Media Icon