Marriott announced last November that it had discovered there had been "unauthorised access" to one of its databases since 2014 following a cyber incident. The database was one that was added to Marriott's IT estate when it acquired the Starwood business in 2016 and it contained details of hundreds of millions of hotel guests. In January this year, Marriott provided an update in which it revised down the number of records it thought had been impacted and confirmed that the database affected had been completely phased out from use.
According to the ICO, approximately 339 million guest records were "exposed by the incident". In a statement, it said Marriott had "failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems".
However, Marriott said it will contest the ICO's plans to issue it with a £99.2m fine. It said the breach "involved a criminal attack against the Starwood guest reservation database".
Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said: "The message from the ICO is clear – cybersecurity and data privacy should form a central part of the due diligence businesses engage in when seeking to acquire other companies. We have seen the topic of cyber due diligence come to the fore previously in the case of the TalkTalk data breach which concerned a customer database operated by Tiscali, a company TalkTalk had previously acquired."
"The level of proposed penalty in both the BA and Marriott cases is noteworthy. It is likely that the ICO has devoted significant resources to both investigations and elected to pursue significant fines in an effort to demonstrate its willingness to use its fining powers under the GDPR and prompt other businesses to act to avoid similar penalties," he said.
"If the ICO confirms its action against Marriott, its monetary penalty notice should provide an insight into how the level of fine was calculated and whether it has been influenced by any aggravating or mitigating factors," Birdsey said.
Data protection law expert Claire Edwards of Pinsent Masons said: "The ICO will need to be able to explain as part of any appeal how the fine was determined and ensure that it is in line with the requirements of the consistency mechanism established under the GDPR which is designed to ensure the approach to enforcement is uniform across the different regulators in the EU."
The ICO said it has acted as the lead authority for investigating the Marriott data breach under the GDPR's 'one stop shop' regime which applies across the European Economic Area (EEA) and comprises the 28 EU countries, Iceland, Liechtenstein, and Norway.
The OSS regime is aimed at reducing the bureaucracy associated with corresponding with multiple regulators. It sees one data protection authority take the lead on investigations whilst providing an opportunity for other data protection authorities in the EEA to feed into the enforcement process.
The ICO has confirmed that Marriott International has a right to make written representations in response to its notice of intent, and that it will also consider representations made by the other data protection authorities before making a final decision in the case.
Corporate law expert Julian Stanier of Pinsent Masons said: "Like in the British Airways case, the ICO has been spurred into publicising its intended enforcement action as a result of a markets disclosure by Marriott International. Although different disclosure regimes apply in the EU and the US, it seems likely that both Marriott and BA decided that the ICO's plans to issue a fine represent an event that is material for disclosure to its investors."
"We are aware of cases in other regulated industries where businesses have been able successfully to persuade regulators to revise down proposed fines in similar circumstances where they have gone public about the penalties they are facing, so the fact that details of the major fines the ICO proposes to issue to BA and Marriott are public before written representations by those companies have been developed and considered does not necessarily mean the companies' legitimate arguments against the ICO's proposed action will not be persuasive," he said.