I recently contributed my insights on the recent GDPR fines within the hospitality industry. You can read those thoughts below and the entire article over at hospitalitytech.com
In a recent press release, Marriott International announced that the UK Information Commissioner's Office (ICO) communicated its intent to issue a fine in the amount of £99,200,396 (over $124 million) against the company for infringements of the General Data Protection Regulation (GDPR) in relation to the Starwood guest reservation database incident.
What Happens Next?
Since this is a notice of an intent to fine, the proposed fine could change. According to Odia Kagan, partner and Chair of GDPR & International Privacy at Fox Rothschild, the ICO will soon hear representations, from Marriott and potentially other parties (like other data protection authorities) as to the findings and the size of the fine. These representations may affect the potential fine and mitigate it. This process may take several months. After this, the ICO will issue its actual decision.
Marriott will have the right to appeal the decision to the First Tier Tribunal (Information Rights) within 28 days of the decision, Kagan explains. The progression of any appeal is a matter for the tribunal. If the Tribunal decides that the Commissioner’s decision was wrong in law, or that she exercised her discretion wrongly, it can overturn the decision and issue a substitute decision notice. If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.
IS THE ICO SENDING A MESSAGE?
In its statement, the ICO said its "investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems."
"The GDPR makes it clear that organizations must be accountable for the personal data they hold."
The ICO's Information Commissioner Elizabeth Denham added: "The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
"Per Article 83 administrative fines under the GDPR are to be 'effective, proportionate and dissuasive,'" says Matt Wilson, Chief Information Security Advisor at BTB Security, a cybersecurity consulting firm. "So yes, the ICO is absolutely making an example out of Marriott, and they told everyone at least three years ago that they would. It has been well understood among privacy and security professionals that GDPR would first impact the large multi-national corporations which have the most means and largest data sets. Eventually this will trickle down to smaller companies, but this is exactly what was supposed to happen."
Divya Gupta, a partner at the international law firm Dorsey & Whitney, agrees. She says this should serve as a wake-up call to all hospitality businesses.
"This fine is a warning to companies that fail to protect private information from loss, damage or theft," Gupta said. "The fines are intended to encourage compliance because when entrusted with personal data, it’s a company’s job to diligently look after it, and for many years companies have gotten away with not doing so."
Additionally, although the data breach at Starwood began before Marriott acquired the company, the ICO is still holding Marriott responsible for not catching the breach prior to or during the acquisition process.
Collin Varner, Cybersecurity, Senior Associate of Schellman & Company, LLC, a global independent security and privacy compliance assessor, notes that the ICO's action could change the way hotels view mergers and acquisitions and the protocols they put into place when considering such an action.
"Vulnerabilities that are identified should not only be remediated, but researched to ensure it was not exploited."
"Organizations should take a lesson from Marriott when seeking a merger or acquisition and perform adequate due diligence on a company’s IT environment to ascertain the health of their information security practices," Varner notes. "Vulnerabilities that are identified should not only be remediated, but researched to ensure it was not exploited. Considering the breach initially occurred two years prior to Marriott absorbing Starwood, I believe we could see a change in how organizations approach partnerships and acquisitions to abstain from risks to company reputation.”
About the AuthorMore Content by Collin Varner