International hotel operator Marriott International, Inc. has been fined £18.4m by the UK Information Commissioner’s Office (ICO) for failing to protect the personal data of millions of customers. A cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide, Inc. resulted in an estimated 339 million guest records being affected worldwide, with seven million guest records relating to people in the UK.

The attack remained undetected until September 2018, by which time Starwood had been acquired by Marriott.

The fine is significantly lower than the £99m that had been initially proposed by the ICO in its notice of intent to fine, issued in July 2019.

The ICO found that Marriott had made failures in respect of its legal obligation to put in place appropriate technical and organisational measures to protect personal data processed on its systems.

The investigation highlights a number of important factors for businesses to consider, both generally and within the hotel sector, as outlined below.

Fine reduction: the ICO is willing to take due account of representations made by potential addresses of a penalty notice in determining the level of a fine. The ICO has indicated that it had regard to the steps Marriott took to mitigate the effects of the incident and the economic impact of Covid-19 on its business before setting a final penalty. The reduction from the initial proposal for a fine is significant in this case (as was seen with the British Airways Penalty Notice issued by the ICO earlier this month and discussed in more detail here).

Due diligence: the importance of conducting meaningful due diligence on a target’s data processing practices and its IT and security measures in place at the time of acquisition. Although in this case the ICO fined Marriott in respect of the period from 25 May 2018 (when the GDPR came into effect), this case serves as a timely reminder of the risks of inheriting liabilities from an acquired business.

Dual exposure from 1 January 2021: the future potential exposure to fines from both regulators within the EU and the UK. In this instance, because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. From 1 January 2021, personal data breaches which have effects in both the EU and the UK are susceptible to separate investigations and fines in each territory with the ICO no longer able to act as the lead supervisory authority from that time.

Owner and operator responsibilities: for hotel operators, the importance of having robust systems and processes in place to ensure compliance with requirements of the GDPR, as well as having an appropriate cyber liability insurance policy in place. For hotel owners, ensuring that there is a clear delineation in hotel management agreements of responsibilities and liabilities for compliance with applicable data protection laws in respect of guest data. Owners should, where possible, be named as an additional insured on an operator’s cyber liability policy or should consider arranging for a policy its own name.

Mitigating factors: in assessing mitigating factors to reduce the amount of the fine, the ICO attached weight in particular to the steps taken by Marriott upon becoming aware of the attack. The ICO noted that Marriott promptly took steps to mitigate the effects of the attack and to protect the interests of data subjects by implementing remedial measures, including among other things: (i) creating a bespoke incident website in numerous languages; (ii) sending notification emails to data subjects; (iii) establishing a dedicated call centre; and (iv) providing web monitoring to affected data subjects. Such measures will not be required in each instance, and should be proportionate to the scale of the data breach. However, the ICO’s considerations in this regard are informative.