The ICO's announcement yesterday (9 July 2019) that it intends to fine Marriott International £99.3m will send shock waves to boards across Europe. It comes only a day after the ICO's announcement that it intends to fine British Airways £183.39m (as covered in our Insight).
The intended fine relates to a cyber incident notified by Marriott International to the ICO in November 2018, concerning a vulnerability in the systems of Starwood Hotels Group. Starwood's systems were likely compromised in July 2014, well before Marriott International acquired Starwood in 2016.
A key part of the ICO's intention to fine Marriott International appears to relate to failures in its due diligence when it bought Starwood and the steps that it took after the acquisition to secure its systems. The case sends a clear warning to companies involved in M&A activities.
Whilst full details are not known publicly, it appears that as a result of the vulnerability at Starwood, approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.
It is understood that Marriott International was first alerted to the possibility of an anomaly on Starwood's guest reservation database on 7 September 2018 (some three months prior to its public announcements). Marriott International's CEO, Arne Sorenson, has previously stated that Marriott International's investigations discovered that malware was present on Starwood's systems, in the form of a Remote Access Trojan, as well as a penetration tool called Mimikatz.
The ICO acted as lead supervisory authority in relation to investigations regarding the incident (and pursuant to the GDPR's 'one stop shop' principle).
Osborne Clarke comment
In two days, the ICO has announced its intention to issue two huge fines for infringements of the GDPR (with the ICO announcing its intention to fine British Airways £183.39m on 8 July 2019). This contrasts with a previous lack of (visible) monetary enforcement activity; in the twelve month period immediately following the GDPR's implementation, the ICO issued no Monetary Penalty Notices under the GDPR (any Monetary Penalty Notices issued in this period were under the Data Protection Act 1998 and therefore subject to a £500,000 maximum fine).
The two intended fines are the first indications of the ICO's approach to its increased monetary enforcement powers under GDPR, which it presently appears willing to exercise to the fullest extent possible.
The importance of due diligence and post-acquisition integration
This cyber incident emphasises the importance of companies conducting adequate due diligence when making acquisitions in which they inherit legacy systems and networks. One of the key questions going forward will be the degree of due diligence (legal and operational) which companies should undertake to mitigate their risks in this respect and to ensure that they have taken "appropriate technical and organisational measures".
It also shows the need to integrate companies into a group from a technical perspective as quickly as possible. The ICO appears to have been critical of the steps taken by Marriott International to secure the Starwood systems after the acquisition in 2016.
Level of fine
From the announcements made to date, it is not clear how the ICO has calculated the level of intended fine (for either the Marriott International or British Airways data breach).
There are three areas of uncertainty.
Firstly, Marriott International acquired Starwood (and carried out its due diligence) prior to the GDPR's implementation. However, the vulnerability in Starwood's systems persisted post GDPR. It is unclear as to how the ICO has taken this into account in determining the level of fine (given the possibility that any key 'errors' in Marriott International's approach look likely to have occurred pre GDPR).
Secondly, and given the two levels of fine that can be levied under the GDPR, it will be interesting to compare the fines (ultimately) imposed by reference to the particular breaches which the ICO has determined occurred in each case.
Finally, any (eventual) Monetary Penalty Notice may also shed light on how the ICO calculates the maximum levels of fine which it can impose (across the two tiers of fines which can be levied). The two levels of maximum fine are both calculated by reference to the “worldwide annual turnover” of the relevant “undertaking”. To date, there has been no detailed indication as to how the ICO will interpret these terms.
Whilst it was to be expected that the ICO's investigations into the more complicated data breach notifications that it had received would take some time to reach the enforcement stage, it appears that the ICO's hand has been forced into making public announcements earlier than it would have wanted.
Typically, the ICO does not announce its intention to fine given, not least, the opportunity which is available for the affected company to make representations in relation to a Notice of Intent to fine before any publicly available Monetary Penalty Notice is imposed. Here, the ICO's announcements appear to have been prompted by Marriott International's and British Airways' compliance with (other) regulatory obligations (with Marriott International making a regulatory filing with the SEC and British Airways making an announcement to the London Stock Exchange pursuant to its obligations under the Market Abuse Regulation (MAR)).
The public announcements raise issues for both the ICO and each of the companies involved.
Under the pre-GDPR regime, there was often scope to seek to persuade the ICO to decrease the level of any intended fine - with the ICO, in some cases, reducing its intended fine by a significant percentage.
Now, following the ICO's public statements (which have garnered significant media attention), it remains to be seen whether the ICO will still be willing to take on board representations made to it so as to reduce the level of those intended fines in a significant way. The ICO may very well feel that it must now proceed with issuing the intended fines, so as to avoid accusations that its initial determination as to the intended level of fine was in some way flawed or borne out of poorly conducted investigations.
It appears that British Airways determined that it was obliged to announce the ICO's intention to fine pursuant to its obligations under MAR. Under MAR, listed companies are required to announce inside information without delay (being, broadly, any information investors would factor in to their investment decisions in relation to relevant securities), unless they are permitted to delay disclosure in order to protect their own "legitimate interests".
Commonly, listed companies delay notification of matters under negotiation under this principle (for example, a significant M&A transaction). MAR allows this where "the outcome or normal pattern of those negotiations would be likely to be affected by public disclosure".
Given British Airways' decision to announce the ICO's intention to fine, it appears that British Airways determined that there was no legitimate interest protection to enable a delay until the level of fine was ultimately fixed. That assessment highlights the potential need for all listed companies that suffer a data breach to make an announcement at the same point in time. In making its announcement, British Airways may now have set a precedent that listed companies should (and will) make announcements upon the receipt of a Notice of Intent that a material fine will be levied (rather than upon the receipt of the final Monetary Penalty Notice).