When acquiring a hospitality business with lots of personal customer data held on legacy IT systems, assessing the target's information security should be a top priority. Alex Dittel and Anita Bapat explain
The Information Commissioner's Office (ICO) has recently issued a letter of its intention to fine Marriott International £99,200,396 for data protection breaches suffered by Starwood group in 2014. Marriott acquired the group in 2016 but did not discover the breaches until 2018. ICO's key criticisms is that Marriott failed to undertake sufficient due diligence to identify the Trojan malware on Starwood's IT and secure its systems.
Under General Data Protection Regulation (GDPR), appropriate technical and organisational measures must be put in place to protect personal data, such as customer data. Including physical security as well as cybersecurity, these measures must ensure the continuous confidentiality, integrity and availability of information. To demonstrate compliance, organisations must assign responsibilities, write-up policies and procedures and keep appropriate records.
Failing to adopt and maintain such measures may result in regulatory action, including fines of up to €20m (£18m) or 4% of total worldwide annual turnover of the financial year preceding the breach. Personal data breaches must be reported to the ICO within 72 hours.
This case has highlighted the need to involve information security experts such as IT professionals and specialist privacy lawyers in the corporate due diligence process when acquiring a target. Failure to uncover historic data breaches or unresolved IT vulnerabilities may turn your newly acquired data assets into a toxic pool with a looming regulatory fine.
The appropriate technical and organisational measures will depend on the types of personal data held, and the risk of harm to individuals in case of a data breach. Regular risk assessments followed by implementation and monitoring are required. To keep up with the constantly evolving cyberthreats (for example, it has been reported that crime group FIN8 has recently updated its malware designed to steal credit card data from point-of-sale systems used in the hospitality sector), it is vital to stay on top of the latest developments and implement ‘state of the art' measures as required under GDPR.
Organisations have to think of which locks to use to secure their premises; who in the organisation should have access privileges for the server room and IT systems; which policies, procedures and training will best guide staff to react appropriately to security risks; whether to adopt web filtering; what version of encryption to use; which patch management solution to rely on, and so forth. This will, of course, change over time as new security measures and protocols become market standard, so it is essential that this is an ongoing process. These are questions that should be determined by IT professionals and specialist privacy lawyers.
Indeed, in an acquisition scenario, such experts should be called to carry out due diligence and, if necessary, create a remediation plan to bring compliance (including handling a past data breach) up to scratch. If your due diligence does not show evidence of these processes taking place at the target's organisation, this should raise alarm bells.
Organisations suffer information security breaches on a daily basis. More sophisticated attacks might not be preventable. However, by demonstrating compliance with the security requirements, an organisation may be able to mitigate the risk of regulatory fines.
Unfortunately for Marriott, it has not only failed to comply with the security requirements, but it also failed to notify the ICO within 72 hours.
- Set up an information security framework with assigned responsibilities and dedicated resources.
- Carry out regular security assessments and respond to risks.
- Ensure the continuous monitoring of assets, risks and the effectiveness of security measures.
- Train staff on reporting and mitigating threats and risks.
- Advance security measures in line with developments in the IT security industry.
- In an acquisition scenario, the buyer should carry out information security due diligence and test for vulnerabilities using legal and technical security experts. Relying on the seller's representations, warranties and disclosures and including contractual protection against personal data breaches will help, but this alone will not be sufficient to ensure compliance with GDPR.
- If any shortcomings or privacy risks are identified, develop a remediation plan to ensure these are mitigated.
You need to be a premium member to view this. Subscribe from just 99p per week.
Already subscribed? Log In