On 9 July 2019, the Information Commissioner's Office (ICO) announced its intention to serve hotel chain Marriott International with a monetary penalty of more than £99m for infringements of the General Data Protection Regulation (GDPR). The proposed administrative fine is understood to relate to the exposure of 339 million guests' records. Much here turns on the level of due diligence Marriott applied when acquiring Starwood in 2016. Whilst ICO notices of intent often don't result in actual fines (or sometimes result in much lower sums), the case will make crucial reading for all professionals involved in corporate transactions.
Background to Marriott's reprimand
The vulnerability in Marriott's cyber security systems is thought to have originated when the Starwood hotels group's systems and guest reservation database were breached in 2014. This was prior to Marriott's acquisition of the Starwood group in 2016, but was not discovered until 2018, when Marriott notified the breach to the ICO. The ICO says that its investigation found that "Marriott failed to undertake sufficient due diligence when it bought Starwood". Despite acknowledgements in the ICO's statement that Marriott has since made improvements to its security arrangements, the regulator has now shown that it is prepared to bare its teeth.
Protecting privacy in hospitality & leisure businesses
Personal data plays a crucial role in the hospitality & leisure industry. The sensitive nature of the personal data acquired from customers is often beyond that collected by most customer-facing businesses. For instance, in relation to any individual, a hotel may have acquired the following information: what newspaper the individual reads, when they wake up in the morning, their passport details, and the registration number of their car. This data has real value to criminal organisations, particularly when the data relates to high-net-worth individuals.
Buyer beware – protecting against data protection risk
In the context of an M&A transaction, buyers will seek to uncover any gaps in the target company's compliance with GDPR, but it is clear that historic vulnerabilities or compromises under prior legal regimes should also be scrutinised. Where the target is a hospitality & leisure business, given the potentially vast amount of data processed, it is likely that data protection due diligence will need to be gold-plated.
The nature of such a review will depend on the specific circumstances surrounding the transaction. However, the buyer will doubtlessly want to analyse the target's policies, procedures and documentation to ensure these are robust, but will also need to consider how these are practised on the ground. Other areas for inspection will include a review of the target's cyber security practices and the nature of any complaints or disputes against the target in relation to the misuse of personal data.
While warranty and indemnity coverage in the sale and purchase agreement may provide some reassurance to buyers, these protections are often subject to time limitations and financial limits. For instance, warranty claims are usually time barred from 18 to 24 months after completion – any such warranties would therefore be of little use in a scenario such as this to Marriott at present. As such, it is imperative that any major weaknesses in a target's data protection policies, procedures or compliance with laws are identified prior to the transaction documents being signed.
For further information, please contact:
Matilda Barr, Associate
Jon Baines, Data Protection Advisor