Marriott Secures 80% Reduction in ICO Fine, but Here’s What You Missed…


Hot on the heels of the £20 million fine issued to British Airways, the Information Commissioner’s Office ("ICO") has issued Marriott International Inc. ("Marriott") with a long-awaited penalty notice for its failure to ensure appropriate security of the personal data it processed. The global hotel chain has been fined £18.4 million, which is a substantial reduction from the £99.2 million contemplated by the ICO’s notice of intention to fine. Unfortunately, the decision failed to give any detailed explanation for the reduction in the level of the fine from £99.2 million to £28 million. Although, a further 20% reduction to £22.4 million was designed to acknowledge Marriott's cooperation, and a further £2 million reduction was to reflect the impact of the coronavirus pandemic.

The Marriott attack, which spanned more than four years, impacted an estimated 339 million guest records (30.1 million of which belonged to EEA citizens). Amongst others, the attackers accessed 18.5 million encrypted passport numbers (of which 4.29 million belonged to EEA citizens) and 9.1 million encrypted payment card details (of which 873,000 belonged to EEA customers). Other categories of personal data, such as guest names, genders, dates of birth, email addresses and telephone numbers were also compromised.

The decision is of particular importance for acquisitions because the breach took place at Starwood Hotels and Resorts Worldwide Inc.'s ("Starwood") before its acquisition by Marriott in September 2016. At the time of the acquisition, the attackers had been in Starwood's network infrastructure for approximately two years—yet it is Marriott that suffers the fine and the associated costs.

We have already set out our thoughts on what the Marriott and British Airways cases demonstrate concerning the importance of thorough and robust representations in regulatory investigations in our British Airways blog post. Here, we want to focus on the implications for acquisition due diligence and two other takeaways: (i) the importance of not focusing on one part of your security to the exclusion of others and (ii) that relying on third parties to manage your cyber risk does not give you a 'get out of jail free' card.

The ICO recognises the challenges with pre-acquisition due diligence.

In 2014, Starwood's systems were compromised. Following its acquisition of Starwood in 2016 and despite not having discovered the breach or having been involved in the security failings that led to the breach, the continuing cyberattack became Marriott's problem to contend with.

Marriott has said that it "was only able to carry out limited due diligence" prior to the acquisition of Starwood in 2016. The ICO declined to make any findings in the period prior to the GDPR coming into force in May 2018 (noting it had "not determined whether or not it was possible for Marriott to conduct due diligence during a takeover"). Interestingly, however, the ICO went on to acknowledge that there "may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover." There are a number of reasons why that might be so. First, there is no general duty of disclosure on a seller (under English law) and, accordingly, a buyer is reliant on the information it is able to obtain from the seller via Q&A (noting that a seller may be liable in fraud for withholding information). Secondly, in a (UK public) takeover process, a bidder is generally limited to publicly available information and certain categories of nonsensitive information (because, in the UK, any competing bidder is entitled to receive the same information as the original bidder). The pressure to close in a timely fashion, a competitive process, the complexity of getting to the bottom of the target business, and the restrictions a selling party might seek to impose (such as to reflect preexisting confidentiality restrictions) may all conspire to further limit access for due diligence. Nevertheless, acquisitive businesses need to think carefully about the questions they ask in diligence with respect to cybersecurity: it is critical to understand the state of the security in place from the outset so that, where necessary, changes to security logging and monitoring can be made immediately after completion. Such businesses may also want to consider whether they engage specialist external cybersecurity firms to help frame and/or conduct their due diligence exercise.

None of this is to say that reliance on diligence cannot be a defence. In fact, despite the limited assessment noted above, the ICO found that Marriott had been right to rely on certain information concerning the application of multi-factor authentication ("MFA") to a critical system called the Cardholder Data Environment ("CDE"). That information, which comprised two reports by independent assessors (one issued pre-acquisition and the other post-acquisition),  led Marriott to believe—incorrectly—that MFA was in place across the entirety of the CDE. The ICO concluded that Marriott "did not breach its obligations under the GDPR by relying upon" the reports and so did not take into account MFA failings in coming to its decision.

Alongside robust due diligence, buyers should also ensure that adequate warranty and indemnity protection is sought in any definitive acquisition documentation. Buyers may also want to consider the merits of taking out a specific warranty and indemnity insurance policy, which may be able to cover a breach of any representations and warranties included in any definitive acquisition agreement and may be able to provide cover on more generous terms than may otherwise be able to be agreed upon with a seller. However, it should be noted that the scope and strength of the cover under any such policy is likely to be dependent on the robustness and strength of the buy-side due diligence exercise.

The process of compliance does not, of course, stop post-acquisition—regardless of what was learned during due diligence. The ICO recognised that an acquisition is "a trigger" (emphasis in the original), the "need for a controller to conduct due diligence in respect of its data operations is not time-limited or a 'one-off' requirement." Therefore, businesses cannot be complacent when the dust settles post-acquisition: they must get a good grip on the IT network they have acquired and ensure that it meets the appropriate technical and organisational measures required by law and to ensure that any deficiencies are identified and addressed as soon as possible post-acquisition. This is vital for compliance, and, as the Marriott case shows, it is also essential to stand a chance of identifying an in-progress or imminent attack on the network you now own. Privacy and cybersecurity risk assessments should now be a key element of all post-acquisition workstreams. They should be part of the deal team's integration plan and, to the extent possible, structured pre-deal with the benefit of existing management’s insight. Buyers may also want to consider the merits of taking out a specific cybersecurity insurance policy that may help mitigate the effects of any post-acquisition cyber breach.

Don't focus on one part of your security to the exclusion of all others.

Our second takeaway is the importance of not focusing on one part of your security to the exclusion of all others.

Marriott was criticised by the ICO for focusing on protecting payment card information ("PCI") above other security risks. Protecting PCI is, of course, important given it is likely to be among the most sensitive data that most businesses hold on data subjects. The ICO acknowledged that a "risk-based approach" was required and that PCI data was "likely to be the highest risk category" warranting higher security than other data. But the ICO considered Marriott to have failed to implement appropriate technical and organisational measures to ensure an "appropriate level of overall security for all other personal data."

Marriott was criticised over the lack of logging and monitoring it had in place to detect and mitigate attacks. The system that it had was only set up to issue alerts in respect to PCI data. The ICO concluded that "while a risk-based approach may require payment card data to have additional security alerts, this does not justify a complete lack of alerts on…other personal data." (Emphasis in the original.)

While the penalty notice repeatedly stresses that no one cybersecurity measure is a panacea against attack, that is not a defence when it comes to discharging your duty under the GDPR. Businesses need a comprehensive strategy to understand what personal data they hold and what security, at a minimum, ought to be in place before moving to a risk-based approach in order to identify where additional security might be required.

You can't outsource the risk.

The final takeaway worth your attention is the ICO's rejection of arguments that Marriott's decision to outsource aspects of Starwood's security management to a consultant "should be taken into account in assessing Marriott's responsibility for the Attack."

In rejecting that argument, the ICO found that engagement of a third-party consultant "does not reduce Marriott's responsibility for the breaches of the GDPR" and that "the engagement of third parties cannot reduce [Marriott's] degree of responsibility."

This conclusion is not particularly surprising, but it does create some difficulty for businesses that do not have Marriott's resources. To what extent is it reasonable for smaller businesses to rely on expert security providers? While they might not be as obvious a target as Marriott, ransomware is still a disproportionate problem for small- and medium-sized businesses, with around 60% of attacks affecting businesses with revenue of less than US$50 million. It will be difficult for those businesses to demonstrate compliance with the GDPR unless they rely on advice from cybersecurity experts.

In our view, the complexity of the cybersecurity issues means that while every business has a different risk profile requiring a different approach to cybersecurity and different internal technical capabilities to monitor cybersecurity, seeking expert cybersecurity advice is likely to be vital in most cases. However, businesses must not consider that such advice absolves them of liability or the responsibility to monitor and understand the risks. Businesses must take that advice seriously and avoid shelving difficult discussions 'for another day,' the next quarter, or the following year. It is the business that will be held responsible for the decisions that are made in response to that advice, and it is not for the regulator to judge whether that advice was properly given or the services were properly performed. As we discussed in our recent “Cyber and the C‑suite” seminar, given the complexity of the issue, to satisfy their responsibility, boards will need to consider if they have the technical ability in the business to properly monitor such advice.

Lessons learnt

While many blogs will focus on the level of the fine Marriott faced, in our view, this is not the most important takeaway from the lengthy monetary penalty notice issued by the ICO. Organisations can learn a lot from understanding what lies behind the fine and can take steps to mitigate their cyber and privacy risk.

  1. Ensure appropriate attention to cyber and privacy in both pre-acquisition due diligence and post-acquisition integration and consider appropriate warranty protection to mitigate the risk.

  2. Take an organisational approach to assessing risk. While the GDPR allows for a risk-based approach to privacy and cybersecurity, it is necessary to assess that risk across all types of personal data and not simply focus on obvious areas of high risk.

  3. While it is good practice for companies to supplement their own cybersecurity and privacy teams by using outside consultants as necessary, the company will remain accountable. Data controllers must therefore ensure they do not over rely on third parties and make sure they are satisfying themselves that they understand the cyber and privacy risks.
Some background: Anatomy of the attack

In July 2014, attackers targeted Starwood's IT systems by installing a web shell on one of its devices. This web shell granted the attackers remote access to the system, which they exploited to install malware Remote Access Trojans ("RATs"). In turn, the RATs granted the attackers remote administrator control of the system. The attackers also installed and executed a software called Mimikatz, which enabled them to harvest temporarily stored login credentials from the system. Subsequently, several files were created, possibly to exfiltrate data from certain tables. The attack continued following Marriott's acquisition of Starwood in September 2016 and following the introduction of the GDPR in May 2018. In September 2018, the attackers performed an action on a table containing customer payment card details. This triggered an alert, which ultimately led to the discovery of the breach on 8 September 2018. Importantly, such an alert was only sent because the table included payment card details. Earlier access to other tables not containing this category of data would not have prompted an alarm.

Following the discovery, Marriott moved swiftly to implement its incident response plan and to deploy real-time monitoring and forensic tools across 70,000 legacy Starwood devices. This enabled Marriott to monitor and identify possible malicious activity in real time. Over the course of September to November 2018, forensic analyses revealed the presence of RATs and Mimikatz, as well as further unauthorised activity from July 2018. The Federal Bureau of Investigation ("FBI") was contacted in mid-October and a notification to the ICO followed on 22 November. On 30 November, Marriott put out a press release, created a dedicated website and alerted customers to the breach through email.

In the October 2020 decision, the ICO found that Marriott failed to "process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures".[1] Specifically, the hotel chain failed to comply with Article 5(1)(f) GDPR and Article  32 GDPR.

[1] [1.6]