Last week on July 9, 2019, the United Kingdom’s Information Commission Office (ICO) announced its intention to fine Marriott International £99.3 million (about $124 million), or 2.5% of Marriott’s worldwide annual revenue, in connection with the Starwood Customer loyalty program. Last November, Marriott announced a breach of the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. The compromise reportedly first took place in 2014 before Marriott had acquired Starwood in 2016. According to the ICO’s statement, the breach involved a variety of personal data found in approximately 339 million guest records, including 30 million records relating to residents of 31 countries in the European Economic Area (EEA) and 7 million records relating to UK residents.
The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it acquired Starwood, and its subsequent failure to secure the information after it fully merged with Starwood’s information systems. Information Commissioner Elizabeth Denham said:
The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. [Emphasis added.]
Last November, Cyber News discussed how this case would be a first for examining the impact of GDPR on U.S. organizations’ liabilities. In our view, some lessons are emerging:
- The Starwood acquisition was pre-GDPR, but Marriott’s alleged failure to discover the compromise flowed into GDPR. Whether the ICO’s fine is based on Marriott’s pre-GDPR failures, or its post-integration oversight, the message is clear: in the absence of appropriate due diligence, acquiring a security incident through merger or acquisition will trigger liability under GDPR.
- As discussed by our friends at Osborne Clarke, typically the ICO does not announce its intention to fine an organization until the subject organization has had an opportunity to dispute the fine’s assessment. Here, the ICO’s announcement appears to have been in response to Marriott’s own reporting of the intended fine in compliance with its SEC reporting requirements. Thus, reporting requirements in the U.S. can impact the process of the ICO’s investigations.
- There has been significant discussion as to whether cyber liability insurance policies issued in the United States will cover GDPR fines. (Authorities in the EU have been more coy as to whether GDPR fines are insurable.) This question may be affirmatively answered, if available insurance is not already exhausted from other liabilities relating to the incident.
- Along these lines, other forms of insurance may be implicated, including D&O policies as result of claims made against Marriott’s directors and officers arising from the alleged failure to conduct “cyber due diligence” during the Starwood transaction. And, will this liability create popularity for a transaction-specific “cyber due diligence” policy?
As we previously noted many practitioners in the cyber law and data protection field have been watching the European regulators with a careful eye with respect to whether and to what extent they would seek to levy fines against Marriott for violations of the GDPR. Now that we have seen, at least in part, what certain European regulators would assess in this situation, it may guide how similarly situated U.S. companies place compliance controls into their risk management programs for GDPR exposure.