Starwood Hotels and Resorts Worldwide Inc's reservation database suffered a cyber-attack in 2014, resulting in a data breach. Marriott acquired Starwood in 2016 and it was only in 2018, after the acquisition had taken place, that the breach was discovered.
Personal data contained in approximately 339 million guest records globally was exposed by the incident. 7 million guest records related to UK residents. The ICO initially intended to fine Marriott £99,200,396 for infringements of the General Data Protection Regulation (GDPR). This was reduced to £18.4 million on consideration of Marriott's representations and mitigating actions.
The fine given to Marriott illustrates what can happen when things go wrong and highlights the importance of taking swift and appropriate action in the event that a data breach is discovered.
The ICO took a range of mitigating measures into consideration including:
The GDPR requires organisations to implement "appropriate technical and organisational" measures to safeguard personal data. What is appropriate will depend on factors such as the sensitivity of the data and the risks to individuals if the data is compromised. Essentially, the more sensitive the data (eg HR records, financial data, health records), the stronger the measures required to keep it safe.
Technical measures include encryption, firewalls and anti-virus software. These technical measures should be regularly tested (eg through penetration testing) to ensure that they remain fit for purpose. The National Cyber Security Centre's website contains relevant guidance.
Organisational measures include staff training, policies and procedures. One of the common mistakes we see organisations make is not providing practical and job-specific guidance and training to staff. Lengthy and dense data protection policies and procedures are unlikely to be effective at providing your staff with clear instructions on how to keep personal data safe whilst doing their job. For example, do your staff know how to spot phishing emails and who to speak to if they suspect a breach? Do you have a policy about data security and remote working?
Your organisation should keep a record of what measures are in place because of the requirement to demonstrate your compliance with the GDPR. This is also helpful if you have to report a breach to the ICO because you will be able to provide evidence of your compliance. For example, records should be kept of what training staff have received and when it was delivered.
Ongoing investment in security measures and regular reviews to ensure it meets your organisation's needs are crucial. Where a breach does occur, a report may need to be sent to the ICO promptly and no later than 72 hours after the breach was discovered.
The fine issued to Marriott provides a useful reminder that dealing with a data breach can be costly - both in terms of ICO action but also reputational damage, diverted resources and legal expenses. Time spent now to prevent a breach from occurring is rarely wasted.