Just a day after the ICO provided notice of its intention to fine British Airways £183m ($228m) over a separate breach (please see our blog post here), on Tuesday, July 9, 2019, the ICO released another statement of its intention to fine Marriott International, Inc. (“Marriott”) over £99m ($123m) in relation to a security incident affecting the Starwood reservation database which Marriott had acquired in 2016 and discovered in November 2018. The statement came in response to Marriott’s filing with the US Securities and Exchange Commission that the ICO intended to fine it for breaches of the GDPR.
The ICO, acting as lead supervisory authority on behalf of the other EU data protection authorities, said it its statement, that of the 339 million guest records that were compromised globally as part of the incident, around 30 million of the affected guest records related to residents of 31 countries in the EEA and 7 million of these records related to UK residents.
The ICO has stated that it is believed that the vulnerability which caused the Starwood incident began in 2014. Marriott subsequently acquired Starwood in 2016 but the compromise was not discovered until 2018 when it was subsequently reported to the ICO.
The second significant action by the ICO in just two days, this reinforces how crucial it is for companies to be prepared for and able to respond to privacy and cyber security threats, including in due diligence in corporate acquisitions. In the ICO’s statement, Elizabeth Denham, the UK Information Commissioner, confirmed that “organisations must be accountable for the personal data they hold and this includes carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”