The Information Commissioner had originally served a Notice of Intent to fine Marriott £99.2 million.
The final fine would have been £28 million, but was reduced by 20% to £22.4 million to take account of mitigating factors, including efforts taken on customer outreach. The fine was then further reduced to £18.4 million in light of the Commissioner’s Covid-19 related regulatory action policy amendments. Although Marriott’s security breach is thought to have lasted from 2014 to 2018, the fine was specific to the period after the GDPR became fully applicable – that is, from May 2018 to September 2018. The breach affected 30.1 million EEA records [1].
Controllers must have programmes to monitor for breaches, should encrypt and should appropriately protect key assets
In 2014, a malicious actor infiltrated the systems of Starwood Hotels, which was acquired by Marriott in 2016. The malicious actor accessed and exhilarated millions of records. Although credit card records were encrypted, detailed reservation records – including large numbers of passport numbers – were not encrypted.
The Commissioner concluded that Marriott had inadequate monitoring of user accounts and of databases: although this would not have prevented the attack it would have made earlier detection more likely. The Commissioner also concluded that Marriott had failed to deploy sufficient security of its key systems – in particular, the Commissioner concluded that it should have deployed “server hardening’ (ie. Restricting access to key systems to specified, approved IP addresses). Lastly, Marriott had only encrypted credit card data. The Commissioner expressed particular concern that passport numbers were not encrypted. In addition, Marriott’s encryption seemed to be compromised (the details of this part of the notice are redacted).
Marriott is facing group litigation in relation to the incident – and the findings of fault in the Commissioner’s monetary penalty notice will be helpful to the claimants there.
Breaches of security can trigger the higher, 4% fine – and worldwide turnover, not UK turnover, is the reference point
Readers who know their GDPR by heart will know that the obligation to implement appropriate technical and organisational measures is set out in Art. 32 GDPR – for which the maximum fine is 2% of worldwide turnover or €10 million, whichever is higher. However, the GDPR also refers to an obligation to implement appropriate security in Article 5(1)(f) – among the data protection principles applicable to controllers – for which the maximum fine is 4% or €20 million.
ICO found Marriott to be in breach of Article 5(1)(f) – thus allowing the higher cap to be applied (although the actual penalty imposed is, any event, within the lower amount).
ICO looked to the turnover of the ultimate controller, Marriott International Inc, in considering this -rather than looking at turnover applicable to the EEA, or to the UK business.
Outsourcing your information security doesn’t mean you avoid a fine
Marriott noted that it outsourced its information security to Accenture. The Information Commissioner noted robustly that where an organisation accepts that it is the controller, that engaging a third party cannot reduce the controller’s responsibility.
Marriott had also engaged a third party to carry out PCI DSS audits for it. The audit reports incorrectly asserted that multi-factor authentication was in place for these systems. ICO said that it was reasonable for Marriott to rely on these statements – even though they were incorrect.
The decision does not comment on the difference in approach between Accenture and the PCI auditor. The difference could be because Marriott could clearly show an error on the part of the auditor, whereas the decision does not make any reference to Accenture being at fault. This may be an area which becomes important in other decisions.
Relevant factors in setting and reducing the fine
The final decision notice doesn’t explain how the Commissioner arrived at the figure of £28 million. It does note that this was regarded as a very serious breach; that a security breach from may to Sept 2018 was regarded as being a significant period and that the number of individuals, the degree of distress or harm (although there has been no evidence of financial loss) and the failure to apply reasonable measures to mitigate the breach were all relevant factors justifying the imposition of a (significant) penalty.
Mitigating factors included later investment in better security, the fact that Marriott created a bespoke website and had a call centre available, both operating in multiple languages, that it provided web monitoring and engaged with card issuers.
The Commissioner rejected arguments by Marriott that she relied too heavily on turnover to set the fine; that this just punished organisations for their size; and that, instead, an approach which had a set tariff for each type of breach would be more appropriate. The Commissioner also rejected arguments by Marriott that – by comparison with fines levied by other EEA authorities – this was too high. Here the Commissioner noted that while the GDPR should lead to more consistency, there were too few fines so far – and they were all fact specific – so that she was not persuaded by this. She also stated that the fact that the penalty had been submitted to the consistency mechanism under art.60 meant that it must be consistent with those applied elsewhere.
[1] Marriott noted that multiple records could relate to the same customer, so that the number of affected customers would be lower than this.