Hot on the heels of British Airways’ £20m fine (covered here), the UK Information Commissioner’s Office has fined Marriott £18.4m for alleged data security failings linked to the breach of 339 million guest records.  Like the British Airways fine, the penalty is a significant climb-down from the amount originally proposed (£99m) in July 2019.  The penalty notice provides helpful insights into the ICO’s expectations for data security and breach notification.

What happened?

The ICO’s penalty notice provides details that were not previously made public. Although the ICO’s penalty covers only the post-GDPR period, the underlying breach of Starwood’s systems first occurred in 2014, before Marriott acquired Starwood in 2016.  According to the penalty notice, the initial intrusion took place when an attacker gained remote access using a web shell, before moving laterally using a combination of a remote access tool with privileged access and credential harvesting malware.

With that access, the attacker staged various customer databases for exfiltration over a number of years.  The compromise was eventually discovered after an automated alert was triggered on 7 September 2018 when the attacker ran a “count” on a file containing payment card details to determine how many rows it had.  The next day, Accenture, which managed the relevant database for Marriott, notified Marriott, which in turn launched its incident response process.  After investigating, Marriott notified the ICO (as its Lead Supervisory Authority) on 22 November 2018 and potentially affected individuals on 30 November 2018.

The personal data affected varied from person to person, but it may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers.  In total, Marriott estimated that 339 million guest records might have been affected, of which roughly 30 million were EEA records (including 7 million associated with the UK).

Where did Marriott (in the ICO’s eyes) fall short?

The ICO’s penalty notice suggests that it had previously intended to fine Marriott for failing to meet its breach notification obligations under the GDPR.  However, the final penalty relates only to what the ICO deemed failures to implement appropriate safeguards to protect individuals’ personal data.  The “four principal failures” were:

  • “Insufficient Monitoring of Privileged Accounts”

The ICO found that Marriott had insufficient monitoring and logging of user activity, once users had authenticated into systems.  The ICO indicated this was important not only to help detect an attack, but also to act as an “additional layer of security” in the event a breach occurred.  In the ICO’s eyes, “the monitoring of legitimate user accounts (including through logging) within the network for unusual activity is vital”.

  • “Insufficient Monitoring of Databases”

Although a monitoring system enabled on a database containing payment card information first alerted Marriott to the breach, the ICO found Marriott’s database level monitoring inadequate.  Certain alerts were placed only on tables which contained payment card data.  The ICO also found that “Marriott did not ensure sufficient logging of key activities […] taken on a database” as well as other areas of its network including firewall and access logs.  Notably, Marriott did not log the creation of files and mass exports of data.

  • Lack of “server hardening”

The ICO found that additional server hardening might have prevented key elements of the attack.  The ICO highlighted the lack of “binary software whitelisting,” a control which permits only pre-authorized applications to be installed or scripts to be run on specific system.  Notably, the ICO said that, “at a minimum,” whitelisting would have been appropriate for systems subject to remote access, which stored large volumes of (or sensitive categories of) personal data, other critical systems, and Point of Sale terminals or other card processing devices.

  • Lack of “encryption”

While acknowledging that Marriott’s focus on PCI-DSS compliance meant that Marriott encrypted payment card data, the ICO found that Marriott had failed to secure other categories of personal data with encryption where appropriate.  The ICO was “particularly concerned” by the fact that not all passport numbers were encrypted.

Five insights for companies

1. Spectre of post-breach litigation

Like British Airways, Marriott did not admit liability for any breach of the GDPR in connection with the penalty notice, and that should help the company in ongoing post-breach litigation.  Written representations to the ICO still find their way into penalty notices, though, and companies making representations to the ICO or other data protection authorities may want to tailor submission with that in mind.

2. Importance of keeping pace with cybersecurity standards

The penalty notice says that Marriott argued that the ICO “reasoned with the benefit of hindsight” and applied an “impossibly high standard of care”.  The ICO disagreed, citing guidance from the UK National Cyber Security Centre and the NIST framework, much of which pre-dated the breach, to support its position that Marriott had failed to implement appropriate safeguards.

Although the GDPR does not prescribe specific security measures, companies may wish to periodically assess their controls against leading guidance and frameworks to ensure they remain in-step with regulators’ expectations.  Industry standards or guidance frameworks will not be a silver bullet when it comes to GDPR compliance.  The penalty notice states that Marriott’s PCI-DSS compliance did not “obviate or reduce its responsibility for the security of all of the personal data it holds”, highlighting the need for a holistic approach to safeguarding all types of personal data.

3. Notification timing

While the ICO seemingly rowed back on its initial position that Marriott had not met its GDPR notification obligations, the ICO clarified its expectations on timing.  In particular, the ICO suggests that the GDPR notification clock starts running when “a data controller [is] able reasonably to conclude that it is likely a personal data breach has occurred” and not – as Marriott ostensibly suggested – when a controller is “reasonably certain that a personal data breach has occurred”.  Companies may want to keep this subtle distinction in mind when determining when the GDPR’s default 72-hour notification period kicks in.

4. Engaging with the ICO

Marriott made multiple rounds of written representations to the ICO (although did not request the opportunity to make oral representations).  The penalty notice reports many of Marriott’s positions, and the ICO’s response.  Companies engaged with the ICO (whether during enforcement proceedings or when making notifications) may therefore want to consult the notice to see what arguments gained (or did not gain) traction.

For example, the penalty notice indicates that Marriott argued that the fact that Accenture helped manage the security of the relevant Starwood systems was relevant to assessing Marriott’s responsibility for the breach when determining the appropriate penalty.  The ICO disagreed, noting that “the fact that [Accenture] was charged with implementing, maintaining or managing certain elements of the system does not reduce Marriott’s responsibility for the breaches of the GDPR”.  This may inform how other companies tackle similar issues in the future.

5. The need for due diligence

Many will remember that the ICO’s July 2019 press release announcing its proposed £99 million fine said that Marriott had “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”. This left some readers wondering what this meant in practice, not least because Marriott’s due diligence pre-dated the GDPR.

The ICO’s final position on due diligence appears to have shifted focus to the post-acquisition period after GDPR came into force, stating that “the need for a controller to conduct due diligence is not a time-limited or a ‘one-off’ requirement”.  But it is clear that both pre- and post-acquisition due diligence will be integral to managing GDPR risk associated with corporate transactions with a view to integrating and improving (as necessary) legacy IT systems.

Conclusion

The Marriott fine may end up being the last big ICO fine issued through the GDPR’s Lead Supervisory Authority mechanism.  Any organization with a presence in the UK or otherwise targeting or monitoring UK-based data subjects will, from 1 January 2021 onwards, have to deal with the threat of parallel EU and UK enforcement action for data protection violations.  How that will work in practice remains to be seen, but it seems likely that the ICO will remain an important data protection regulator on the world stage.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Jane Shvets is a Debevoise partner in the firm’s White Collar & Regulatory Defense Group, focusing on white collar defense and internal investigations, in particular regarding compliance with corrupt practices legislation, as well as compliance assessments. Ms. Shvets also advises multinational clients on data protection and cybersecurity matters as well as a wide range of sanctions issues. She can be reached at jshvets@debevoise.com.

Author

Robert Maddox is an associate based in the London office and a member of Debevoise's White Collar & Regulatory Defense and International Dispute Resolution Groups, as well as the firm’s Data Strategy & Security practice. His practice focuses on complex multi-jurisdictional investigations, disputes and cybersecurity matters. He can be reached at rmaddox@debevoise.com.

Author

Christopher Garrett is an English-qualified associate who is a member of the Debevoise Data Strategy & Security practice and part of the Corporate Department, also specialising in employment law. He can be reached at cgarrett@debevoise.com.