Reading the ICO’s monetary penalty notice (MPN) served on Marriott one notes that the fine relates to infringements (Articles 32 and 5(1)(f)) of the GDPR between the dates of 25th May 2018 and 18th September 2018 despite the personal data breach occurring on-going from July 2014. The MPN sets out that the ICO is not considering the period up to the introduction of the GDPR – so any infringement of the DPA98 has not been assessed. In the grand scheme of things, levying an additional £500k for a DPA98 breach would not have been of particular significance and may have made for a far more complicated investigation and report.
As a PCI DSS qualified security assessor, (QSA) the Outsourced DPO was particularly interested in the payment card industry angle to this. The MPN states that Marriott’s reliance on reports on compliance (ROCs) issued by two independent PCI DSS assessors that led Marriott to conclude (albeit erroneously) that access to the card holder environment was appropriately protected, did not constitute a breach Marriott’s obligations under the GDPR. It would seem then that the independent ROCs, which are in effect audit reports to the uninitiated, were accepted as evidence of appropriate security measures being in place – despite them not being sufficiently reliable in the final analysis. An organisational control (the ROC) was effectively implemented to test a technical control (Multi Factor Authentication): but the performance of the organisational control by Marriott’s QSA company (i.e. the testing of the MFA) was flawed.
It’s reassuring that the ICO says hindsight is not an effective methodology for assessing appropriateness of control measures. There are many folks who all too easily jumped on the Marriott-bashing bandwagon. Of note is that having an audit program in place through the PCI DSS ROC was sufficient to provide Marriott with something of a defensible position… well, partially!