0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Marriott International: a look behind the ICO’s £99m fine and what this means for corporate acquisitions

5 August 2019

Last month, the Information Commissioner’s Office (ICO) announced notice of its intention to fine (NOI) Marriott International, Inc. £99m for infringements of the GDPR. This was the second NOI in as many days, following hot on the heels of the NOI issued to British Airways for an eye-watering £183m.

Marriott notified the ICO of a cyber incident it discovered in November 2018. Personal data, including names, addresses, passport numbers and encrypted payment card numbers contained in approximately 339 million guest records globally, were exposed by the incident. This is a classic data breach and the proposed fine is dwarfed by the BA fine, but what is of particular interest here is that Marriott inherited this breach as a result of a corporate acquisition.

The ICO has stated its belief that the vulnerability began in 2014, when the IT systems of Starwood Hotels and Resorts Worldwide LLC, a subsidiary of Marriott, were compromised. Marriott did not acquire Starwood until 2016, but the ICO did not see this as a mitigating factor. In fact, the ICO specified that Marriott had failed to undertake sufficient due diligence on Starwood at the time of the acquisition, with Information Commissioner Elizabeth Denham stating:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition.”

Marriott will make representations to the ICO in an effort to reduce the fine. The ICO will also take into consideration any representations from its equivalent bodies in the other affected countries of the EEA.

Whatever the final outcome, it is clear that the ICO is unlikely to excuse businesses that have inherited an existing data breach through a corporate acquisition, meaning the importance data protection due diligence (in the form of both legal due diligence and technical IT due diligence) when acquiring businesses cannot be overstated. If your business is buying a company, the scope of the due diligence exercise should be clearly defined at the outset, taking into account the nature of the target business and the likely risks it will face from a data protection perspective. Purchasers need to adopt a robust attitude throughout the due diligence exercise, seeking contractual protection in the acquisition documents following that diligence, and ensuring that all ‘post-Completion’ resolutions are actioned and completed as soon as possible following completion of the transaction.

related opinions

Court of Appeal confirms all employment tribunal judgments must be published on the register, except in national security cases

Under the ET Rules, all judgments and accompanying written reasons must be published on a pubic register which the general public can access online.

View blog

SFO fail to secure individual criminal convictions following Deferred Prosecution Agreement

On 16 July 2019 the Serious Fraud Office released details of the Deferred Prosecution Agreement reached with Sarclad Ltd in July 2016.

View blog

Supreme Court backs employers seeking to enforce restrictive covenants: Tillman v Egon Zehnder Ltd

The Supreme Court in Tillman v Egon Zehnder Ltd has determined that where post-termination restrictive covenants (i.e. “non-compete” clauses) in employment contracts go further than reasonably necessary to protect an employer’s business interests, it can apply the ‘blue pencil test,’ severing the offending words and leaving the remaining enforceable clause in place.

View blog

Watch this space on breach of contract, vicarious liability and assumption of responsibility

The concept of Assumption of Responsibility is on many stakeholders’ minds at the moment following the Supreme Court decision in CN & GN v Poole.

View blog

mailing list sign up



Select which mailings you would like to receive from us.

Sign up