An analysis of the Monetary Penalty Notice issued by the Information Commissioner’s Office to Marriott International, Inc. dated 30 October 2020

Marriott notified the ICO initially on 22 November 2018, and later on 30 November 2018, upon discovering additional breaches. Affected data subjects started to be informed of the breach from 30 November 2018, when Marriott issued a press release about the attack and established a dedicated incident website.

The ICO’s regulatory response

The ICO commenced its investigation shortly thereafter, and issued a NOI the following July, informing Marriott of its intention to fine it £99.2 million.

As in BA’s case, Marriott provided three sets of substantive written representations (on 23 August 2019, 31 January 2020, and 17 April 2020).³

The basis on which the fine was calculated

Again, the key question invited by this MPN is why the final penalty – as in the BA MPN – is significantly lower than that which was proposed in the ICO’s NOI.

In a similar manner to the BA MPN, the Marriott MPN elides the issue and instead proceeds to analyse the penalty in line with the five-step approach in the ICO’s Regulatory Action Policy (“RAP”).

The key factors at play in the Commissioner’s determination of the quantum of fine included:

• The fact that Marriott did not derive any financial benefit from the breach;
• The “significant concern”⁴ the Commissioner had in respect of the nature of Marriott’s failings and the “extremely large number of individuals [who] were affected by the breach [339 million guest records, of which 30.1 million were associated with EEA Member States]”⁵, some of whom, the Commissioner considered, would likely have suffered distress as a result of the disclosure of their personal information, despite Marriott's contentions to the contrary⁶;
• The “significant”⁷period of time (4 months) over which unauthorised access to personal data went undetected (whilst the attack started in September 2014, as noted above, the Commissioner’s findings in respect of the breaches were limited to a much shorter period);
• The negligent (but not intentional) nature of Marriott’s breaches⁸;
• The fact that Marriott were “wholly responsible”⁹ for the breaches of GDPR during the Relevant Period. The Commissioner noted in this respect that, “[w]hile the entry of the Attacker into Starwood’s systems pre-dates Marriott’s acquisition of that company, Marriott has an ongoing duty to ensure the safety and security of the systems it was suing to process personal data”¹⁰. Marriott’s argument that the engagement of Accenture to provide third party IT services should be taken into account when assessing degrees of responsibility was given short shrift by the Commissioner, who noted that “the engagement of third parties cannot reduce [Marriott’s] degree of responsibility”¹¹. Similarly, short shrift was also given to the suggestion that Marriott's adherence to industry standards in relation to payment data was evidence of a wider compliance with data protection legislation¹²;
• The full cooperation which Marriott gave to the ICO in relation to its investigation; and
• The absence of previous infringements on Marriott’s part.

An initial figure of £28 million was reached, which was reduced by 20% to £22.4 million, in light of the following mitigating factors¹³:

• Marriott’s increased investment in IT security (it had committed to an increased budget for IT security in 2018 prior to becoming aware of the breach and the budget for IT security for 2020 was increased to $108.5 million);
• The immediate steps taken by Marriott to mitigate the effects of the attacks, including:

• Deployment of real-time monitoring and forensic tools on Starwood devices; 
• Password resets; 
• Disabling known compromised accounts; 
• Implementation of enhanced detection tools;

• Steps taken by Marriott to mitigate the impact of the breach on data subjects, including the establishment of a notification and communication regime (involving notification emails, an incident website and a dedicated call centre). Albeit, no credit was given by the Commissioner in relation to the fact that Marriott had allegedly spent in excess of $50 million in customer-facing remediation activities;
• Widespread media reporting, which is likely to have increased awareness amongst other data controllers of the risks posed by cyber-attacks; and
• The adverse effect which the breach had on Marriott’s brand and reputation.

 As it did in relation to BA, the Commissioner permitted a further reduction of just over £4 million to take into account the impact of Covid-19 on Marriott’s business. The final figure was therefore £18.4 million.

Returning to the question of why this figure is so small by comparison to the fine proposed in the NOI, it is evident that the Commissioner had used – as she had in the BA case – an unpublished internal document entitled “Draft Internal Procedure for Setting and Issuing Monetary Penalties” (“DAP”), which used turnover as the central metric for calculating fines. However, the ICO informed Marriott by way of a letter dated 6 December 2019 – the same date on which BA received an equivalent letter – that the “[DAP] would not be taken into account in setting any penalty imposed on Marriott”.¹⁴ The arguments raised by Marriott in their first representations as to the applicability of the DAP appear to have tracked very closely those made by BA in respect of the same subject matter, and were ultimately successful. The Commissioner made clear in the MPN that reliance was solely placed on Article 83 GDPR, section 155 of the Data Protection Act 2018 and the RAP in deciding the quantum of the fine.

The Commissioner otherwise reiterated a number of points in respect of penalty calculations which had been raised in the BA MPN, notably:

• That the turnover based approach remains “a relevant consideration in determining the appropriate level of penalty”;¹⁵
• That the current penalty regime does not lack sufficient legal certainty; and
• A lex specialis argument does not apply in the context of a consideration of the interrelationship between Articles 5(1)(f) and 32 GDPR. Whilst BA had argued that there was a clear conflict between the two provisions, Marriott tried a slightly different tack, submitting that Article 5(1)(f) was merely a shorter, summary version of the more detailed, specific obligation in Article 32, and therefore the latter amounted to the lex specialis of the former. The ICO rejected this contention, noting that Article 5(1)(f) is “one of the basic principles of processing” and “cannot be dismissed as simply a summary of a later new provision in the GDPR”¹⁶.

Appropriate technical/organisational measures

The BA MPN was a veritable treasure trove of useful guidance in relation to the Commissioner’s views on “appropriate technical and organisational measures”. The Marriott MPN is no different, albeit with a shift in focus.

Whilst much discussion in the BA MPN was focussed on the steps which might be taken to prevent initial access to IT systems, the Marriott MPN is more focussed on steps which might be taken to identify breaches, and to prevent further unauthorised activity within IT systems, after they have been compromised (issues which were also covered in detail in the BA MPN). This difference in emphasis reflects the fact that, in Marriott's case, the underlying attack had been ongoing since 2014.  

Four principal failings were identified by the Commissioner as contributing to her conclusion that “Marriott failed [between 25 May 2018 and 17 September 2018] to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures, as required by Article 5(1)(f) and Article 32 GDPR”¹⁷, namely:

• Failure to sufficiently monitor privileged accounts¹⁸. The BA MPN discussed privileged account management¹⁹ and provided significant commentary regarding the ease with which the attacker obtained privileged account details. The Marriott MPN does not provide commentary on that issue, and focusses instead on privileged account monitoring. The Commissioner noted that, once access had been gained by the attacker to the Starwood Cardholder Data Environment (“CDE”), there were not appropriate or adequate measures in place to identify the breach and prevent further unauthorised activity, partly because Marriott failed to appropriately monitor privileged account user activity.²⁰ A forensic report prepared by Verizon noted that Marriott had not configured logging in respect of “access to systems and/or applications within the CDE”²¹. Appropriate monitoring in this respect “would have included the appropriate logging of user activity, especially in relation to privileged users.” The logging of user activity “once within the CDE…would have aided the detection of unusual client activity”.²²
• Failure to sufficiently monitor databases²³. Numerous failings were identified in relation to database monitoring within the CDE:
   
  • Security alerts: Alerts were only placed on tables within the CDE that contained payment card information. Whilst a risk-based approach may entail additional security alerts being set up in relation to payment card data, this “[did] not justify a complete lack of alerts on tables containing other personal data”²⁴.
  • Logging: Despite utilising IBM Guardium to monitor database activity, this did not prevent key issues in respect of logging. The Commissioner found that there was insufficient logging of key activities – for example, there was no server logging of the creation of files. This allowed the attacker to export entire databases to “dmp” files undetected. Such logging would have been “feasible” for Marriott, as a mass export of data such as this would not regularly occur in the course of business and therefore the number of false positives would have been low²⁵. The Commissioner concluded: “[t]hat Marriott did not detect the attack until alerted by Guardium is indicative of Marriott failing regularly to test, assess and evaluate the effectiveness of its security measures.”²⁶
  • MFA: The Commissioner was at pains to emphasise that: "[c]ontrol of access through MFA does not displace the need for adequate monitoring (including logging) of activities that assist in detecting a breach once it is in train."²⁷
• Failure to control critical systems²⁸. In addition to increased monitoring, the Commissioner noted that it would have been appropriate for Marriott to implement server hardening²⁹ “which could have prevented the Attacker from gaining access to administrator accounts and performing reconnaissance before traversing across a network”³⁰. Whitelisting would have been one such measure. At a minimum, this could have been expected on: (1) devices which could be remotely accessed; (2) devices which store large amounts or sensitive categories of data; (3) any other systems “critical” to network operations; and (4) any POS terminals at a property level and other devices which process payment card transactions³¹ Marriott could also have “carried out regular audits, updates of software and restricted file and directory permissions”³². These measures were described by the Commissioner as “readily available and mature solutions” which could have been implemented “without entailing excessive cost or technical difficulties”³³.
• Failure to use encryption appropriately³⁴ The Commissioner took issue with the fact that, whilst payment card data and some passport numbers had been encrypted using an industry standard algorithm, not all passport numbers were encrypted³⁵. This approach was described as “inconsistent” and lacking rationale. Nor did she accept Marriott’s argument that it would have been impractical to have encrypted more personal data; she suggested that methods such as the use of UUIDs³⁶, or hardware security modules, could have been utilised so that decryption could have taken place quickly and with ease³⁷.

Perhaps the most notable point to arise from the Commissioner’s analysis of the appropriate technical and organisational measures is the importance of organisations having in place multiple layers of security. The Commissioner acknowledged that “no single security measure can fully protect a system against attack or compromise”. As such, it is wholly appropriate to adopt a strategy of “defence in depth”³⁸. In this regard, the Commissioner was at pains to emphasise, as was the case in the BA MPN, that Marriott had failed to heed publicly available guidance in developing its cyber-security policies and procedures, referring, in particular, to the NCSC's "10 Steps to Cyber Security: Guidance on how organisations can protect themselves in cyberspace, including the 10 steps to cybersecurity"³⁹ and "Introduction to identity and access management"⁴⁰.

It is also worth noting that, as she did in the BA MPN, the Commissioner rejected the assertion that the sophisticated nature of the attack in any way detracted from culpability: “the sophistication or specific vector of the attack is not the relevant focus”⁴¹.

Notification requirements

When the Marriott NOI was issued, the Commissioner considered that Marriott had breached both Articles 33 and 34. However, the Marriott MPN finds that, on further consideration, including of Marriott's representations, this was not, in fact, the case. The reasoning behind the Commissioner's findings provides helpful guidance regarding the ICO's interpretations of these aspects of the GDPR.

Article 33 GDPR

The Commissioner helpfully clarified the appropriate test to be applied by data controllers when deciding whether to make a notification to the ICO in accordance with Article 33 GDPR.

Marriott had argued that a data controller must be “reasonably certain” that a data breach has occurred before notifying the ICO. The Commissioner disagreed: a data controller “must be able to reasonably conclude that it is likely a personal data breach has occurred to trigger the notification requirement under Article 33”⁴².

Article 34 GDPR

The Commissioner emphasised that, although she considered Marriott had not, in fact, breached Article 34 GDPR, the fact that it had established a dedicated website regarding the breach, and issued a press release in relation to it, was not sufficient to discharge its obligations in this regard⁴³; it was obliged to contact affected data subjects individually (e.g. via email) unless it could be shown that to do so would involve disproportionate effort, which, on the facts, Marriott was unable to demonstrate.

Appeal

Marriott has stated that it does not intend to appeal the ICO’s decision. In doing so it emphasised, no doubt with a view to the civil claims which it is facing arising out of the breach, that it makes no admission of liability in relation to the Commissioner's findings or the underlying allegations.

Comment

Operate legacy systems at your peril

Marriott had planned to migrate the data on Starwood's IT systems, which Marriott had improved since it had acquired Starwood, to Marriott's IT systems before GDPR had come into force, and, thereafter, decommission Starwood's IT systems. However, that process was delayed until the end of 2018, meaning that personal data continued to be located on those IT systems after the GDPR came into force.

In the instant case, Marriott's request for clemency on the basis that the IT systems affected were due to be decommissioned, and the fact that it had made improvements to those systems since it acquired Starwood, fell on deaf ears, with the Commissioner emphasising: “the fact that an IT system is due to be retired shortly does not disapply the GDPR to the data being processed through that system”⁴⁴. Whilst decommissioning “may be a relevant factor in determining what measures would be appropriate in a given case, this ultimately does not remove the basic obligation to put in place security measures appropriate to the risk posed by the continued processing”⁴⁵.  

The message is clear: organisations should not let their guard down just because a system is due shortly to be decommissioned or expect to be relieved of their obligations as data controller pursuant to the GDPR by virtue of the fact that steps have been taken to improve legacy systems following a takeover.

Levels of future sanctions

It is hardly surprising that the final penalty imposed on Marriott is significantly lower than that which was proposed in the NOI, not least given: (1) the approach taken by the Commissioner in the BA MPN; and (2) the ICO’s investigations into these breaches, the issuance of NOIs, and thereafter, the process of finalising MPNs (taking into account representations made to the Commissioner), ran in tandem.

However, as we noted in our analysis of the BA MPN, caution should be exercised before interpreting this reduction as an indicator of: (1) the level of futures fines which may be set by the Commissioner; and (2) the approach to calculating fines which will be adopted by the Commissioner in future cases.

Draft statutory guidance published by the ICO in October 2020 on its regulation policy (the “Guidance”) departs from the five-step approach in the RAP, which was relied upon by the Commissioner in both the BA and Marriot MPNs. The Guidance instead sets out a nine step approach, with fines in the first instance being calculated in accordance with turnover. Had the Guidance been applied in relation to Marriott, the starting point for the penalty would have been more than double the proposed figure set out in the NOI⁴⁶. As we noted previously, assuming the Guidance is finalised in its current form, “mega” fines – running into the hundreds of millions of pounds – remain a distinct possibility.

Whether or not the Guidance is adopted, the Marriott MPN, like the BA MPN, reinforces the importance for organisations seeking to reduce any potential fine as a result of a serious data breach of (most notably):

• Promptly taking steps to mitigate the effects of the breach (in the present case, for example, deploying real-time monitoring and forensic tools) and addressing deficiencies in “technical and organisational measures” which have become apparent as a result of the breach (here, principally, significantly increasing investment in IT security); and
• Robustly challenging the Commissioner’s early findings in any NOI. Marriott’s proactive and front-foot approach bore dividends in this respect, as did BA’s previously. The Marriott MPN notes, for example, that: "[h]aving considered, in particular, Marriott's Second Representations in response to the draft decision, the Commissioner is satisfied that Marriott did not breach its obligations under the GDPR by relying upon" advice from independent PCI DSS assessors regarding the application of MFA to certain aspects of Starwood's IT Systems⁴⁷ and "in the light of Marriott's Representations, the Commissioner has decided not to make a finding that Marriott breached Article 33 GDPR"⁴⁸. Marriott's representations also appear to have been persuasive in the Commissioner determining that she "was wrong provisionally to find in the NOI that Marriott's notification to data subjects breached Article 34 of the GDPR"⁴⁹.

Given that the fines which have now been levied against BA and Marriott are of a similar order, and reflect a similar approach in terms of the reductions: (1) made by reference to the fines proposed in the NOI; (2) to reflect the impact of Covid-19 on their recipients' operations; and (3) to reflect the recipients' engagement with the ICO's investigations, further guidance as to how turnover will be weighed in the balance would be welcomed by practitioners, data controllers and processors alike.

Civil claims against Marriott

Our previous analysis on civil claims in respect of BA holds true in relation to Marriott. The upshot of that analysis is, in short, that if all affected guests pursue claims against Marriott, it could be facing liability from those proceedings which may well be many multiples of the fine imposed by the ICO⁵⁰.

Due diligence in corporate acquisitions

The regulatory sanction to which Marriott is subject also serves to highlight the importance of undertaking careful due diligence, and securing relevant contractual protections, for purchasers undertaking corporate acquisitions.

In the instant case, whilst the Commissioner did accept that “[t]here may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover”⁵¹ this was of little relevance, as the Commissioner considered that Marriott had had ample time to address issues which were extant at the time of the Starwood acquisition and following that acquisition, and had failed to address those issues, emphasising: "[t]he need for a controller to conduct due diligence in respect of its data operations is not time-limited or a 'one-off' requirement"⁵².

Although, regrettably, the Marriott MPN provides little real guidance as to what the ICO would consider best practice in this regard, it is hard to see why a data controller which has acquired a business which has caused data subjects loss by virtue of unlawfully processing, or failing to adequately safeguard, their personal data should be entitled to expect any diminution in the regulatory sanction applicable by virtue of the fact that it conducted thorough due diligence of the target.

Purchasers would instead be well advised to protect themselves in relation to any latent liabilities arising from breaches of data protection legislation on the part of the target company by:

• Undertaking as thorough due diligence as is practicable prior to entering into a corporate acquisition so that any such liabilities can be ascertained (subject to the limitation identified by the ICO regarding competitor businesses) and priced into the deal or appropriate contractual protection can be sought;
• Ensuring that they secure wide-ranging warranties and indemnities specifically focussing on this risk, potentially supported by warranty and indemnity insurance⁵³ as appropriate, to ensure that the vendor or an insurer assumes responsibility for such liabilities; and
• Undertaking a thorough review of the target's legacy IT systems as soon as practicable following acquisition, and, in any event, well prior to the expiry of any relevant time limitations applicable to the warranties and indemnities provided by the vendor, in order to identify any such liabilities, so that relevant contractual notices, or claims under policies of insurance or otherwise, can be served promptly.

¹  https://www.legislation.gov.uk/ukpga/1998/29/schedule/1/2016-03-30. 

²  Deleted versions of compressed files containing the "dmp" files were located during Marriott's internal investigations into the breaches, indicating that this was likely.

³  As noted in our analysis of the BA MPN, at law Marriott was limited to making a single set of representations. The Commissioner agreed, however, to permit further representations to be made, on the same basis as with BA, namely because of the complexity of the case; Marriott’s representations; and “the fact that this is one of the first major decisions made under the new EU data protection regime”.

⁴  Paragraph 7.9 of the MPN. 

⁵  Paragraph 7.11 of the MPN.

⁶  The Commissioner was at pains to note: "Marriott's suggestion that distress will only arise in cases where they are advised by their banks to cancel their payment cards ignores the fact that all personal data (not just financial data) is of significance to individuals, a significance which is reflected in the legal protections afforded to that data under the GDPR."

⁷  Paragraph 7.13 of the MPN.

⁸  Paragraphs 7.15 and 7.16 of the MPN.

⁹  Paragraph 7.26 of the MPN.

¹⁰  Paragraph 7.24 of the MPN.

¹¹  Paragraph 7.28 of the MPN.

¹²  Paragraph 7.30 of the MPN.

¹³  Paragraphs 7.41-7.44 of the MPN. 

¹⁴  Paragraph 5.6 of the MPN.

¹⁵  Paragraph 7.72 of the MPN. The Commissioner also makes it clear that, in her view, contrary to Marriott's contention, this approach is not in breach of fundamental rights to property as provided for under Article 1 of Protocol 1 of the European Convention on Human Rights, and Article 17 of the EU Charter of Fundamental Rights.

¹⁶  Paragraph 7.82 of the MPN. 

¹⁷  Paragraph 1.6 of the MPN. 

¹⁸  Paragraphs 6.13-6.20 of the MPN.

¹⁹  At paragraphs 6.57-6.80.

²⁰  Paragraph 6.13 of the MPN. The failure to secure the “outer ring” of the CDE was not a subject of the MPN. The Commissioner had noted that Marriott had failed to implement complete multi-factor authentication (“MFA”) – which allowed the attacker to exploit a gap in the “outer ring” of the CDE – but that, because Marriott had relied upon two Reports on Compliance, issued by PCI DSS assessors, which stated that MFA was in place for anyone requiring access to the CDE, the Commissioner was satisfied that this did not did not constitute a breach of the GDPR.

²¹  Paragraph 6.18 of the MPN. 

²²  Paragraph 6.19 of the MPN. 

²³  Paragraphs 6.21-6.30 of the MPN.

²⁴  Paragraph 6.28 of the MPN. 

²⁵  Paragraph 6.23 of the MPN.

²⁶  Paragraph 6.25 of the MPN. 

²⁷  Paragraph 6.30 of the MPN. 

²⁸  Paragraphs 6.31-6.38 of the MPN.

²⁹  See also paragraphs 6.30-6.56 of the BA MPN.

³⁰  Paragraph 6.31 of the MPN. 

³¹  Paragraph 6.34 of the MPN. The Commissioner rejected Marriott’s contention that binary software whitelisting was rarely implemented by companies at the time of the incident; it was a “well-recognised and established security practice for some time before the GDPR came into force”. 

³²  Paragraph 6.36 of the MPN. 

³³  Paragraph 6.38 of the MPN. 

³⁴  Paragraphs 6.39-6.47 of the MPN.

³⁵  Paragraphs 6.39 and 6.40 of the MPN. 

³⁶  Universally unique identifiers.

³⁷  Paragraph 6.43 of the MPN. 

³⁸  Paragraph 6.37 of the MPN. Also see paragraph 6.17.

³⁹  Paragraph 6.15 of the MPN.

⁴⁰  Paragraph 6.16 of the MPN.

⁴¹  Paragraph 6.55 of the MPN. 

⁴²  Paragraph 6.73 of the MPN. 

⁴³  Paragraph 6.78 of the MPN.

⁴⁴  Paragraph 6.59 of the MPN. 

⁴⁵  Ibid.

⁴⁶  This calculation is based on the table at page 23 of the Guidance and the following assumptions: that the seriousness of the infringement is classified as “high”; that the breach was a product of negligence; and that the higher maximum amount would be 4% of Marriott's 2018 worldwide turnover.

⁴⁷  Paragraph 6.10-11 of the MPN.

⁴⁸  Paragraph 6.75 of the MPN. 

⁴⁹  Paragraph 6.76-6.81 of the MPN.

⁵⁰  It is noteworthy that no credit was given in relation to the substantial costs / exposure that this litigation will entail in either the BA or Marriott MPNs.

⁵¹  Paragraph 3.3 of the MPN. 

⁵²  Paragraph 6.64 of the MPN.

⁵³  It remains doubtful whether, as a matter of English law, it is possible to insure liabilities arising from regulatory sanctions to which the insured is subject.