DATE November 2, 2020 11:41 am POSTED BY CATEGORY Blog

The Marriott Hotel Fined £18.4 Million

So, last week the ICO levied a fine of £18.4m on Marriott for a personal data breach affecting an estimated 339 million people over a 4-year period.  If you use the unorthodox method of evaluating monetary penalties of vP = n/F (the value of privacy is equal to the number of affected people divided by the value of the fine) that works out a measly £0.05 – five pence per individual.  Five pence!  Think about it: a fine of five pence for each compromised individual.  Is that the value of privacy these days?

The most important point raised by the Marriott breach is arguably that they appear to have introduced the cyber vulnerabilities when they acquired the Starwood Hotels group in 2016.  The Outsourced DPO has been banging on for years about the importance of undertaking due diligence in the areas of data and data protection compliance vulnerability during mergers and acquisitions.  And although DPP has completed some work here, we find the majority of people contemplating M&As don’t seem to consider that bringing other folks data, systems, people, and work methods into their own environment is something that should be subject to a detailed risk assessment. In many cases there is “no budget” for such a review but our fee for conducting such a review is miniscule compared to the costs of clean up, fines and compensation.

The Marriott situation is high profile involving a well-known brand, but compliance risk and vulnerability risks exist in mergers between social housing providers, charities, and other businesses.  For example, in taking on 10,000 new properties through a merger between two housing associations the last thing on people’s minds is usually the personal data relating to the 30,000 legacy data subjects and the data handling practices of the 350 merged employees.  Resources are channelled into assessing the property portfolio and financial position, but it seems very rare for merger due diligence to formally consider cyber maturity, lawfulness of processing etc..  Is it likely that the Marriott case study will change that?  Let’s hope so.