ao link

You are viewing 1 of your 2 articles

To continue reading register for free, or if you’re already a member login

 

Register  Login

Viewpoint: I know where you stayed last summer

Marriott International's recent data breach demonstrates the importance of regular monitoring of systems and software. Brian Craig explains

 

D

 

Reports indicate that Marriott was alerted to an attempted breach of its Starwood guest reservation database on 8 September 2018. On further investigation, it discovered unauthorised access has been ongoing since 2014 â€" two years before Marriott acquired the Starwood business. An estimated 327 million Marriott Starwood customers have had their personal information compromised, making this the largest data breach seen since the introduction of new data protection legislation in Europe and the UK this year.

 

In the UK, protecting customers’ personal data is a legal obligation for companies. The General Data Protection Regulation (GDPR) and UK Data Protection Act 2018, which came into force this year, increased the focus on accountability for companies handling personal data.

 

The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Companies have a duty to implement appropriate technical and organisational measures to ensure security of personal data. This is an ongoing obligation â€" GDPR compliance requires regular monitoring and updating of systems and software.

 

The huge scale of the unauthorised access to Marriott’s database is unquestionably a serious data breach. What makes this breach so significant is the failure of the security measures and the length of time the data was left unprotected.

 

For Marriott, the immediate focus will be on informing the affected customers â€" as is its duty under the GDPR.

 

It is likely that the Information Commissioner’s Office will begin investigating the breach to determine what steps to take. GDPR penalties are significant â€" the hotel group could face a fine of up to €20m (£17.8m) or 4% of its annual turnover â€" whichever is higher. Despite Marriott’s breach being unintentional, the inadequacy of its technical security measures coupled with the four-year duration of the breach will likely be aggravating factors.

 

Regulatory fines could just be the tip of the iceberg. Marriott will also potentially face class action lawsuits for compensation from affected customers. In the US, Marriott is apparently already facing compensation claims. The UK courts recently found liability against Morrisons in a class action brought by 5,000 employees whose personal data was intentionally leaked by a disgruntled employee acting without authorisation.

 

That the breach was ongoing two years prior to Marriott’s acquisition of Starwood throws the spotlight on the role of M&A due diligence in data security, particularly in light of new data protection legislation. That Marriott has inherited liability for Starwood’s breach sends a clear message to other businesses. Data protection due diligence is a crucial part of any M&A transaction â€" systems and processes should be rigorously tested and interrogated.

 

Crucially, though, this case demonstrates the importance of incorporating regular monitoring and testing into an ongoing data protection compliance programme. Recording the results of those security audits will also help in defending against any future actions by regulators or class action litigants.

 

Complacency is not an option under new data protection legislation â€" as Marriott has been unfortunate enough to find out.

 

Brian Craig is a legal director at UK law firm TLT

 

Marriott could face lawsuit and GDPR fine following data hack >>

 

It’s nothing personal: How to handle your data for the General Data Protection Regulation >>

 

Get The Caterer every week on your smartphone, tablet, or even in good old-fashioned hard copy (or all three!).

Newsletter sign up

Stay informed with all the latest

Newsletter Sign Up

Stay informed with the latest news

 

Sign Up

Rethinking Food Waste Webinar

Rethinking Food Waste Webinar

Best Places to Work in Hospitality 2025

Best Places to Work in Hospitality 2025

Supplier Awards 2025

Supplier Awards 2025

The Caterer Events

The Caterer Events

Queen's Awards for Enterprise

Jacobs Media is honoured to be the recipient of the 2020 Queen's Award for Enterprise.

The highest official awards for UK businesses since being established by royal warrant in 1965. Read more.

Jacobs Media

Jacobs Media is a company registered in England and Wales, company number 08713328. 3rd Floor, 52 Grosvenor Gardens, London SW1W 0AU.
© 2024 Jacobs Media