Get the latest hospitality news and inspiration straight to your inbox. Subscribe to our newsletter.

Viewpoint: I know where you stayed last summer

Written by:
Written by:
Viewpoint: I know where you stayed last summer

Marriott International’s recent data breach demonstrates the importance of regular monitoring of systems and software. Brian Craig explains

Discovery of a data breach affecting up to 500 million Marriott International customers has exposed the hotel chain to the risk of eye-watering financial penalties – and raised questions about its security measures. This incident should be a wake-up call for all businesses because it highlights the need to implement and audit technical and organisational security measures as part of a complete and ongoing data protection programme, and the role of merger and acquisition due diligence in data security.

Reports indicate that Marriott was alerted to an attempted breach of its Starwood guest reservation database on 8 September 2018. On further investigation, it discovered unauthorised access has been ongoing since 2014 – two years before Marriott acquired the Starwood business. An estimated 327 million Marriott Starwood customers have had their personal information compromised, making this the largest data breach seen since the introduction of new data protection legislation in Europe and the UK this year.

In the UK, protecting customers’ personal data is a legal obligation for companies. The General Data Protection Regulation (GDPR) and UK Data Protection Act 2018, which came into force this year, increased the focus on accountability for companies handling personal data.

The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Companies have a duty to implement appropriate technical and organisational measures to ensure security of personal data. This is an ongoing obligation – GDPR compliance requires regular monitoring and updating of systems and software.

The huge scale of the unauthorised access to Marriott’s database is unquestionably a serious data breach. What makes this breach so significant is the failure of the security measures and the length of time the data was left unprotected.

For Marriott, the immediate focus will be on informing the affected customers – as is its duty under the GDPR.

It is likely that the Information Commissioner’s Office will begin investigating the breach to determine what steps to take. GDPR penalties are significant – the hotel group could face a fine of up to €20m (£17.8m) or 4% of its annual turnover – whichever is higher. Despite Marriott’s breach being unintentional, the inadequacy of its technical security measures coupled with the four-year duration of the breach will likely be aggravating factors.

Regulatory fines could just be the tip of the iceberg. Marriott will also potentially face class action lawsuits for compensation from affected customers. In the US, Marriott is apparently already facing compensation claims. The UK courts recently found liability against Morrisons in a class action brought by 5,000 employees whose personal data was intentionally leaked by a disgruntled employee acting without authorisation.

That the breach was ongoing two years prior to Marriott’s acquisition of Starwood throws the spotlight on the role of M&A due diligence in data security, particularly in light of new data protection legislation. That Marriott has inherited liability for Starwood’s breach sends a clear message to other businesses. Data protection due diligence is a crucial part of any M&A transaction – systems and processes should be rigorously tested and interrogated.

Crucially, though, this case demonstrates the importance of incorporating regular monitoring and testing into an ongoing data protection compliance programme. Recording the results of those security audits will also help in defending against any future actions by regulators or class action litigants.

Complacency is not an option under new data protection legislation – as Marriott has been unfortunate enough to find out.

Brian Craig is a legal director at UK law firm TLT

Marriott could face lawsuit and GDPR fine following data hack >>

It’s nothing personal: How to handle your data for the General Data Protection Regulation >>

Get The Caterer every week on your smartphone, tablet, or even in good old-fashioned hard copy (or all three!). Subscribe today and save 51%

Start the discussion

Sign in to comment or register new account

Start the working day with

The Caterer’s free breakfast briefing email

Sign up now for:

  • The latest exclusives from across the industry
  • Innovations, new openings, business news and practical advice
  • The latest product innovations and supplier offers
Sign up for free