The recent fine given by the Information Commissioner's Office (ICO) to Marriott International Inc (Marriott) serves as another reminder of the importance of data security.

Starwood Hotels and Resorts Worldwide Inc's reservation database suffered a cyber-attack in 2014, resulting in a data breach. Marriott acquired Starwood in 2016 and it was only in 2018, after the acquisition had taken place, that the breach was discovered.

Personal data contained in approximately 339 million guest records globally was exposed by the incident. 7 million guest records related to UK residents. The ICO initially intended to fine Marriott £99,200,396 for infringements of the General Data Protection Regulation (GDPR). This was reduced to £18.4 million on consideration of Marriott's representations and mitigating actions.

The fine given to Marriott illustrates what can happen when things go wrong and highlights the importance of taking swift and appropriate action in the event that a data breach is discovered.

What Mitigating Measures Did Marriott Take?

The ICO took a range of mitigating measures into consideration including:

  • the increase in Marriott's level of spend on IT security
  • Marriott cooperated fully with the investigation and responded promptly to information requests from the ICO
  • the reporting of the breach in the media enhanced awareness of data security issues
  • the internal measures Marriott took immediately after the breach was discovered, including the use of forensic tools, password resets, disabling compromised accounts and the use of detection tools
  • Marriott emailed data subjects to inform them of the breach
  • Marriott established a dedicated call centre to allow data subjects to contact them to discuss the breach.

Coronavirus guidance employers

What Should You Be Doing to Prevent Data Breaches?

The GDPR requires organisations to implement "appropriate technical and organisational"  measures to safeguard personal data. What is appropriate will depend on factors such as the sensitivity of the data and the risks to individuals if the data is compromised. Essentially, the more sensitive the data (eg HR records, financial data, health records), the stronger the measures required to keep it safe.

Technical measures include encryption, firewalls and anti-virus software. These technical measures should be regularly tested (eg through penetration testing) to ensure that they remain fit for purpose. The National Cyber Security Centre's website contains relevant guidance.

Organisational measures include staff training, policies and procedures. One of the common mistakes we see organisations make is not providing practical and job-specific guidance and training to staff. Lengthy and dense data protection policies and procedures are unlikely to be effective at providing your staff with clear instructions on how to keep personal data safe whilst doing their job. For example, do your staff know how to spot phishing emails and who to speak to if they suspect a breach? Do you have a policy about data security and remote working?

Your organisation should keep a record of what measures are in place because of the requirement to demonstrate your compliance with the GDPR. This is also helpful if you have to report a breach to the ICO because you will be able to provide evidence of your compliance. For example, records should be kept of what training staff have received and when it was delivered.

Ongoing investment in security measures and regular reviews to ensure it meets your organisation's needs are crucial. Where a breach does occur, a report may need to be sent to the ICO promptly and no later than 72 hours after the breach was discovered.

The fine issued to Marriott provides a useful reminder that dealing with a data breach can be costly - both in terms of ICO action but also reputational damage, diverted resources and legal expenses. Time spent now to prevent a breach from occurring is rarely wasted.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.