Wake Up Hospitality: Marriott Fine Proves GDPR Legislation Has Teeth

July 29, 2019 Collin Varner

I recently contributed my insights on the recent GDPR fines within the hospitality industry. You can read those thoughts below and the entire article over at hospitalitytech.com

In a recent press release, Marriott International announced that the UK Information Commissioner's Office (ICO) communicated its intent to issue a fine in the amount of £99,200,396 (over $124 million) against the company for infringements of the General Data Protection Regulation (GDPR) in relation to the Starwood guest reservation database incident.


What Happens Next?

Since this is a notice of an intent to fine, the proposed fine could change. According to Odia Kagan, partner and Chair of GDPR & International Privacy at Fox Rothschild, the ICO will soon hear representations, from Marriott and potentially other parties (like other data protection authorities) as to the findings and the size of the fine. These representations may affect the potential fine and mitigate it. This process may take several months. After this, the ICO will issue its actual decision.

Marriott will have the right to appeal the decision to the First Tier Tribunal (Information Rights) within 28 days of the decision, Kagan explains. The progression of any appeal is a matter for the tribunal. If the Tribunal decides that the Commissioner’s decision was wrong in law, or that she exercised her discretion wrongly, it can overturn the decision and issue a substitute decision notice. If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.



In its statement, the ICO said its "investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems."

"The GDPR makes it clear that organizations must be accountable for the personal data they hold."

The ICO's Information Commissioner Elizabeth Denham added: "The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

"Per Article 83 administrative fines under the GDPR are to be 'effective, proportionate and dissuasive,'" says Matt Wilson, Chief Information Security Advisor at BTB Security, a cybersecurity consulting firm. "So yes, the ICO is absolutely making an example out of Marriott, and they told everyone at least three years ago that they would. It has been well understood among privacy and security professionals that GDPR would first impact the large multi-national corporations which have the most means and largest data sets. Eventually this will trickle down to smaller companies, but this is exactly what was supposed to happen."

Divya Gupta, a partner at the international law firm Dorsey & Whitney, agrees. She says this should serve as a wake-up call to all hospitality businesses.

"This fine is a warning to companies that fail to protect private information from loss, damage or theft," Gupta said. "The fines are intended to encourage compliance because when entrusted with personal data, it’s a company’s job to diligently look after it, and for many years companies have gotten away with not doing so."

Additionally, although the data breach at Starwood began before Marriott acquired the company, the ICO is still holding Marriott responsible for not catching the breach prior to or during the acquisition process.

Collin Varner, Cybersecurity, Senior Associate of Schellman & Company, LLC, a global independent security and privacy compliance assessor, notes that the ICO's action could change the way hotels view mergers and acquisitions and the protocols they put into place when considering such an action.

"Vulnerabilities that are identified should not only be remediated, but researched to ensure it was not exploited."

"Organizations should take a lesson from Marriott when seeking a merger or acquisition and perform adequate due diligence on a company’s IT environment to ascertain the health of their information security practices," Varner notes. "Vulnerabilities that are identified should not only be remediated, but researched to ensure it was not exploited. Considering the breach initially occurred two years prior to Marriott absorbing Starwood, I believe we could see a change in how organizations approach partnerships and acquisitions to abstain from risks to company reputation.”

Read full article at HospitalityTech.com >>

About the Author

Collin Varner

Collin is a Senior Manager with Schellman Compliance, LLC based in Denver, Colorado. Collin is focused primarily on specializing in IT attestation, audit, and compliance activities as they relate to numerous standards including SOC, HIPAA, CMMC, and a suite of ISO standards. Prior to joining Schellman, Collin held roles tasked with planning, organizing, and managing multiple facets of information technology and security reviews including cybersecurity assessments, risk management, internal and external audit, system implementations, and customized attestation reporting.

More Content by Collin Varner
Previous Article
How Bots Can Tell When the C-Suite Is Lying
How Bots Can Tell When the C-Suite Is Lying

Companies are applying natural language processing (NLP), sentiment analysis and machine learning to the fi...

Next Article
Rundown: The Cloudy Role of FedRAMP
Rundown: The Cloudy Role of FedRAMP

On Wednesday July 17th, I had the distinct honor of providing the assessor perspective at a FedRAMP hearing...


First Name
Error - something went wrong!