Marriott International's recent data breach demonstrates the importance of regular monitoring of systems and software. Brian Craig explains
Reports indicate that Marriott was alerted to an attempted breach of its Starwood guest reservation database on 8 September 2018. On further investigation, it discovered unauthorised access has been ongoing since 2014 - two years before Marriott acquired the Starwood business. An estimated 327 million Marriott Starwood customers have had their personal information compromised, making this the largest data breach seen since the introduction of new data protection legislation in Europe and the UK this year.
In the UK, protecting customers' personal data is a legal obligation for companies. The General Data Protection Regulation (GDPR) and UK Data Protection Act 2018, which came into force this year, increased the focus on accountability for companies handling personal data.
The GDPR defines a data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data." Companies have a duty to implement appropriate technical and organisational measures to ensure security of personal data. This is an ongoing obligation - GDPR compliance requires regular monitoring and updating of systems and software.
The huge scale of the unauthorised access to Marriott's database is unquestionably a serious data breach. What makes this breach so significant is the failure of the security measures and the length of time the data was left unprotected.
For Marriott, the immediate focus will be on informing the affected customers - as is its duty under the GDPR.
It is likely that the Information Commissioner's Office will begin investigating the breach to determine what steps to take. GDPR penalties are significant - the hotel group could face a fine of up to â¬20m (£17.8m) or 4% of its annual turnover - whichever is higher. Despite Marriott's breach being unintentional, the inadequacy of its technical security measures coupled with the four-year duration of the breach will likely be aggravating factors.
Regulatory fines could just be the tip of the iceberg. Marriott will also potentially face class action lawsuits for compensation from affected customers. In the US, Marriott is apparently already facing compensation claims. The UK courts recently found liability against Morrisons in a class action brought by 5,000 employees whose personal data was intentionally leaked by a disgruntled employee acting without authorisation.
That the breach was ongoing two years prior to Marriott's acquisition of Starwood throws the spotlight on the role of M&A due diligence in data security, particularly in light of new data protection legislation. That Marriott has inherited liability for Starwood's breach sends a clear message to other businesses. Data protection due diligence is a crucial part of any M&A transaction - systems and processes should be rigorously tested and interrogated.
Crucially, though, this case demonstrates the importance of incorporating regular monitoring and testing into an ongoing data protection compliance programme. Recording the results of those security audits will also help in defending against any future actions by regulators or class action litigants.
Complacency is not an option under new data protection legislation - as Marriott has been unfortunate enough to find out.
Brian Craig is a legal director at UK law firm TLT
You need to be a premium member to view this. Subscribe from just 99p per week.
Already subscribed? Log In