ICO - Monetary Penalty on Marriott International Inc.
ICO - Monetary Penalty on Marriott International Inc. Authority: ICO (UK) Jurisdiction: United Kingdom Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPRType: Investigation Outcome: Violation Found Started: Decided: 30.09.2020 Published: 30.10.2020 Fine: 18400000 GBP Parties: n/a National Case Number/Name: Monetary Penalty on Marriott International Inc. European Case Law Identifier: n/a Appeal: Unknown
Original Language(s): English Original Source: Information Commissioner's Office (in EN) Initial Contributor: Edda Pernice The Information Commissioner’s Officer (ICO) imposed a fine of GBP 18.4 million on Marriott International Inc (“Marriott”) for failing to ensure appropriate security when processing its costumers’ personal data, thus violating Article 5(1)(f) and Article 32 GDPR.
Investigations began following notification of an attack on Marriott’s IT systems that took place over a period of time that includes May 2018 (when the GDPR came into force) to September 2018 . As a result, the attacker(s) had access to vast amounts of costumers’ personal data: Marriot estimated that they accessed 339 million guest records, with 30.1 million being EEA members’ records and 7 million being associated with the UK.
English Summary
Facts
Starwood Hotels and Resorts Worldwide Inc’s (“Starwood”) IT system were first compromised by unknown attackers in 2014. Marriot subsequently acquired Starwood in 2016, but did not detect this attack at any time between that moment and September 2018. Therefore, between 2014 and 2018, the attackers had access to Starwood’s systems through use of Remote Access Trojan malware, and kept extracting Starwood databases. Marriott became aware of potential attacks following an alert from a system applied to one of its most confidential databases on September 2018. After that Marriot found malware installed and proof that databases had been extracted over the years, so they promptly notified both the ICO and relevant data subjects of the breach. The ICO found that the attackers had obtained unencrypted personal data of the likes of: passport numbers, identifying information of the costumers such as name, date of birth and gender, plus credit card details in encrypted form.
Dispute
Holding
Although the ICO and the relevant victims were notified promptly of the breach, the ICO found that there were many failures in placing the technical and organizational measures to safeguard personal data in Marriott’s system as required under Article 5(1)(f) and Article 32 GDPR. Marriott’s shortcomings, as outlined by the ICO, were the following: insufficient monitoring of privileged accounts and their user activity, insufficient monitoring of databases, poor control of critical systems and systems that have access to large amounts of personal data, and the fact that only certain type of sensitive data was encrypted (e.g. credit card numbers) but not all (e.g. many passport numbers). The ICO fined Marriott in line of Article 83 GDPR but also took into account mitigating factors such as the efforts that Marriott made to inform and help the victims of the breach, the $19 million investment it made on security the following year and the financial impacts of the Covid-19 pandemic, lowering the final amount of the fine from £24 million to £18.4 million.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Information Commissioner's Office PENALTY NOTICE Section 155, Data protection Act 2018 Case ref: COM0804337 Ma10400 Fernwood Roadl Inc Bethesda M DUSA0 8 1 7 30 October 20201 INTRODUCTION & SUMMARY 1.1. This Penalty Notice i given to Marriott International Inc (“Marriott”) pursuant to section 155 and Schedule 16 of the Data Protection Act 2018 (the “DPA”). I relates to infringements of the General Data Protection Regulation (the “GDPR”), which came to the attention of the Information Commissioner (“the Commissioner”) as a result of an attack on Marriott’s IT systems? that took place over a period that included 25 May 2018 to 17 September 2018 (the “Attack”). 1.2. Insummary, i 2014 the IT systems of Starwood Hotels and Resorts Worldwide Inc (“Starwood”) were compromised by an unknown attacker or attackers (referred to, for ease of reference, as “the Attacker”), utilising an unknown attack vector. In 2016, Marriott acquired Starwood. Marriott did not detect the Attack at any time between acquiring Starwood and September 2018, including i the period after the entry into force of the GDPR i May 2018. During this latter period, the Attacker continued to traverse through the Starwood systems and had gained access to the cardholder data environment within the Starwood network. This access allowed the Attacker to export the personal data of Starwood customers to “dmp” files on the Starwood systems, potentially with a view to taking a copy of that data. I was only when the Attacker triggered an alert i relation to a table containing cardholder data that the Attack was discovered and could be mitigated. The personal data of a large number of individuals was involved in the Attack, including cardholder data, although the Commissioner has not seen any evidence of financial harm to individuals. Following the alert, Marriott promptly informed affected data subjects and took immediate steps to mitigate the effects of the Attack and to protect the interests of data subjects by implementing remedial measures. 1.3. Marriott i an _ international hotel chain, with operational headquarters i the USA. The provisions of the DPA and the GDPR apply to the processing of personal data by Marriot by virtue of 1 References i this decision to Marriott’s systems / network / security etc. concern the IT systems etc. that Marriott acquired from Stai September2016 and retained and continued to use post-acquisition. section 207(2) DPA and Article 3(1) GDPR. Marriott has confirmed that Marriott Hotels Limited i Marriott’s main establishment within the EU, as defined i Article 4(16) GDPR. 1.4. The data subjects affected by this breach were customers of Starwood, which was at the relevant time owned by Marriott, i the United Kingdom, elsewhere in the EU, and in the rest of the world. 1.5. Marriott was the controller i respect of the personal data of its customers within the meaning of section 6 DPA and Article 4(7) GDPR, as i determined the purposes and means of the processing of the personal data. By inter alia collecting, recording, organising, structuring and storing the personal data of its customers, Marriott was processing that data within the meaning of section 3(4) DPA and Article 4(2) GDPR. 1.6. Marriott has not admitted liability for breach of the GDPR. However, for the reasons set out i this Penalty Notice, the Commissioner has found that Marriott failed to process personal data i a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures, as required by Article 5(1)(f) and Article 32 GDPR. 1.7. The Commissioner has found that, in all the circumstances, and having regard, i particular, to Marriott’s representations and the matters listed i Article 83(1) and (2) GDPR, the infringements constitute a serious failure to comply with the GDPR and, accordingly, that the imposition of a penalty i appropriate. The amount of the penalty that the Commissioner has decided to impose, having taken into account a range of mitigating factors set out further below and the impact of the Covid-19 pandemic, i £18.4 million. 1.8. Pursuant to Article 56 GDPR, the Commissioner i acting as lead supervisory authority i respect of the cross-border processing at issue i this case.2.LEGAL FRAMEWORK GDPR 2.1. On 25 May 2018, the GDPR entered into force, replacing the previous EU law data protection regime that applied under Directive 95/46/EC (“Data Protection Directive”)*?. The GDPR seeks to harmonise the protection of fundamental rights i respect of personal data across EU Member States and, unlike the Data Protection Directive, i directly applicable i every Member State.? 2.2. The GDPR was developed and enacted i the context of challenges to the protection of personal data posed by, i particular: a. the substantial increase i cross-border flows of personal data resulting from the functioning of the internal market;*+ and b. the rapid technological developments which have occurred during a period of globalisation.> As Recital (6) explains: “.. The scale of the collection and sharing of personal data has increased significantly. Technology allows’ both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities....” 2.3. Such developments made i necessary for “a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market...”.® 2.4. Against that background, the GDPR imposed more stringent duties on controllers and significantly increased the penalties that could be imposed for a breach of the obligations imposed on controllers (amongst others).’ 2 Directiv95/46/EC of theEuropean Parliamentand of theCouncil of 24October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 3 Recital 3. 4 Recital 5. § Recital 7. 7 See, i particular, Recitals 11, 148, 150, and Article 5, Chapter IV and Article 83. The relevant obligations 2.5. Chapter 1 GDPR sets out the general provisions. Article 5 of Chapter I GDPR sets out the principles relating to the processing of personal data. Article 5(1) lists the six basic principles that controllers must comply with i processing personal data, including: 1. Personal data shall be: ..(f) processed in a manner that ensures appropriate security of the personal data, including protection § against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’) 2.6. Article 5(2) GDPR makes i clear that the “contro/ler shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”. 2.7. Chapter IV, Section 1 addresses the general obligations of controllers and processors. Article 24 sets out the responsibility of controllers for taking appropriate steps to ensure and be able to demonstrate that processing i compatible with the GDPR. Articles 28-29 make separate provision for the processing of data by processors, under the instructions of the controller. 2.8. Chapter IV, Section 2 addresses security of personal data. Article 32 GDPR provides: 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (C)... (d)a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing. 2. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 2.9, Article 32 GDPR applies to both controllers and processors. Penalties 2.10. Article 83(1) GDPR requires supervisory authorities to ensure that any penalty imposed i each individual case i “effective, proportionate and dissuasive". 2.11. The principle that penalties ought to be effective, proportionate and dissuasive i a longstanding principle of EU law. The Commissioner i under an EU law obligation to ensure that infringements of the GDPR are penalised i a manner that i effective, proportionate and dissuasive. 2.12. Further, Recital 148 emphasises, inter alia, that “in order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation.” I also records that due regard should be given to the: . nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor... 2.13. Recital 150 provides as follows: In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation. 2.14. In line with the above, when deciding whether to impose a fine and the appropriate amount of any such fine, Article 83(2) GDPR requires the Commissioner to have regard to the following matters: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the degree of co-operation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g)the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the supervisory authority, including whether, and if so to what extent, the controller or processor notified the supervisory authority of the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject- matter, compliance with those measures; ( adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigating factor applicable to the case, including financial benefits gained, or losses avoided, directly or indirectly from the infringement. ® 2.15. Article 83(5) GDPR provides that infringements of the basic principles for processing imposed pursuant to Article 5 GDPR will, i accordance with Article 83(2) GDPR, be subject to administrative fines of up to €20 million or, i the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever i higher. 2.16. Article 83(4) GDPR provides, inter alia, that infringements of the obligations imposed by Article 32 GDPR on the controller and processer will, i accordance with Article 83(2) GDPR, be subject to administrative fines of up to €10 million or, i the case of an 8 See also the Article 29 Data Protection WParty Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, adopted on 3 October 2017, endorsed by the European Data ProtectionBoard at its first plensession.These providea high-level overview of the assessment criteria set out i Article 83(2) GDPR i Section ITI (“the Article 29 WP Guidelines”. 8 undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, whichever i higher. 2.17. Article 83(3) GDPR addresses the circumstances i which the same or linked processing operations give rise to infringements of several provisions of the GDPR. I provides that “.. the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement”. 2.18. Article 83(8) GDPR provides that the exercise by any supervisory authority of its powers to fine undertakings will be subject to procedural safeguards, including an effective judicial remedy and due process. Cooperation and consistency 2.19. Where, as here, the processing i issue i cross-border, Article 56 GDPR makes provision for the designation of a lead supervisory authority. In this case, the Commissioner i acting as the lead supervisory authority. Chapter VII GDPR establishes the regime for ensuring cooperation between lead and other concerned supervisory authorities, permitting unified decision-making.? 2.20. Article 60 GDPR provides: 1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other. 2. The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State. 3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without ° The relevant provisions enacting this regime must be read subject to, i particular, Articles 7, 70 and 127-128 and 131 of the Withdrawal Agreebetween the EU and United Kingdom. 9delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views. 4. Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if i does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63. 5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, i shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks. 6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by i 7. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision. 8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify i to the complainant and shall inform the controller thereof. 9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the 10 controller, shall notify i to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify i to that complainant and shall inform the controller or processor thereof. 10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned. . 2.21. Article 60(4) refers to the consistency mechanism, which i i Section 2 of Chapter VII GDPR. Article 63 provides that: “In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.” Article 65 GDPR provides, insofar as relevant, that: Dispute resolution by the Board 1. In order to ensure the correct and consistent application of this Regulation in individual cases, the Board shall adopt a binding decision in the following cases: (a) where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject 2. The decision referred to in paragraph 1 shall be adopted within one month from the referral of the subject-matter by a two-thirds majority of the members of the Board. That period may be extended by a further month on account of the complexity of the subject-matter. The decision referred to in paragraph 1 shall be reasoned and addressed to the lead 11 supervisory authority and all the supervisory authorities concerned and binding on them. 3. Where the Board has been unable to adopt a decision within the periods referred to in paragraph 2, i shall adopt its decision within two weeks following the expiration of the second month referred to in paragraph 2 by a simple majority of the members of the Board. Where the members of the Board are split, the decision shall by adopted by the vote of its Chair. 4, The supervisory authorities concerned shall not adopt a decision on the subject matter submitted to the Board under paragraph 1 during the periods referred to in paragraphs 2 and 3. 5. The Chair of the Board shall notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be published on the website of the Board without delay after the supervisory authority has notified the final decision referred to in paragraph 6. 6. The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the Board has notified its decision. The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged, shall inform the Board of the date when its final decision is notified respectively to the controller or the processor and to the data subject. The final decision of the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the Board in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article. DPA The Commissioner 2.23. Section 115 DPA establishes that the Commissioner i the UK’s supervisory authority for the purposes of the GDPR. Section 115 DPA 12 provides, inter alia, that the Commissioner’s powers under Articles 58(2)(i) (the power to impose administrative fines) and 83 GDPR are exercisable only by giving a penalty notice under section 155 DPA. Penalties 2.24. Section 155(1) DPA provides that, i the Commissioner i satisfied that a person has failed or i failing as described i section 149(2) DPA, the Commissioner may, by written notice (a “penalty notice”), require the person to pay to the Commissioner an amount i sterling specified i the notice. 2.25. Section 149(2) DPA provides: (1) The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following - (a) a provision of Chapter II of the GDPR or Chapter 2 of Part 3 or Chapter 2 of Part 4 of this Act (principles of processing); (b) . (c) a provision of Articles 25 to 39 of the GDPR or section 64 or 65 of this Act (obligations of controllers and processors)... 2.26. Section 155 DPA sets out the matters to which the Commissioner must have regard when deciding whether to issue a penalty notice and when determining the amount of the penalty. 2.27. Section 155(2) DPA provides that, subject to subsection (4), when deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commissioner must have regard to the matters listed i Article 83(1) and (2) GDPR. 2.28. Schedule 16 includes provisions relevant to the imposition of penalties. Paragraph 2 makes provision for the issuing of notices of intent to impose a penalty, as follows: (1) Before giving a person a penalty notice, the Commissioner must, by written notice (a “notice of intent”) inform the person that the Commissioner intends to give a penalty notice. 13 (2) The Commissioner may not give a penalty notice to a person in reliance on a notice of intent after the end of the period of 6 months beginning when the notice of intent is given, subject to sub-paragraph (3). (3) The period for giving a penalty notice to a person may be extended by agreement between the Commissioner and the person. 2.29. Paragraph 5 sets out the required contents of a penalty notice, i accordance with which this Penalty Notice has been prepared. Guidance 2.30. Section 160 DPA requires the Commissioner to produce and publish guidance about how she intends to exercise her functions. With respect to penalty notices, such guidance i required to include: (a) provision about the circumstances in which the Commissioner would consider i appropriate to issue a penalty notice; (b) provision about the circumstances in which the Commissioner would consider i appropriate to allow a person to make oral representations about the Commissioner's intention to give the person a penalty notice; (c) provision explaining how the Commissioner — will determine the amount of penalties; (d) provision about how the Commissioner will determine how to proceed if a person does not comply with a penalty notice. 2.31. Pursuant to section 161 DPA, the Commissioner's first guidance documents issued under section 160(1) DPA had to be consulted upon and laid before Parliament by the Secretary of State i accordance with the procedure set out i that section. Thereafter, i issuing any altered or replacement guidance, the Commissioner required to consult the Secretary of State and such other persons as she considers appropriate. The Commissioner must also arrange for such guidance to be laid before Parliament. 14The Commissioner’s Regulatory Action Policy 2.32. On 4 May 2018, the Commissioner opened a consultation process on how the Commissioner planned to discharge her regulatory powers under the DPA. The consultation attracted responses from across civil society, commentators, and industry (including the finance and insurance, online technology and telecoms, and charity sectors). The consultation ended on 28 June 2018. Having taken all the views received during the consultation process into account, the Regulatory Action Policy (the “RAP”) was submitted to the Secretary of State and laid before Parliament for approval. 2.33. Pursuant to section 160(1) DPA, the Commissioner published her RAP on 7 November 2018. Under the hearing “Aims”, the RAP explains that i seeks to: e “Set out the nature of the Commissioner’s various powers in one place and to be clear and consistent about when and how we use them”; e “Ensure that we take fair, proportionate and timely regulatory action with a view to guaranteeing that individuals’ information rights are properly protected”; e “Guide the Commissioner and our staff in ensuring that any regulatory action is targeted, proportionate and effective...”° 2.34. The objectives of regulatory action are set out at page 6 of the RAP, including: e “To respond swiftly and effectively to breaches of legislation which fall within the ICO’s remit, focussing on [inter alia] those adversely affecting large groups of individuals”. e “To be effective, proportionate, dissuasive and consistent in our application of sanctions”, targeting action taken pursuant to the Commissioner’s most. significant powers on, inter alia, “organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data”. 1 RAP, page 5 152.35. The RAP explains that the Commissioner will adopt a selective approach to regulatory action.‘ When deciding whether and how to respond to breaches of information rights obligations she will consider criteria which include the following: e “the nature and seriousness of the breach or potential breach”; e “where relevant, the categories of personal data affected (including whether any special categories of personal data are involved) and the level of any privacy intrusion”; e “the number of individuals affected, the extent of any exposure to physical, financial or psychological harm, and, where i is an issue, the degree of intrusion into their privacy”; e “whether the issue raises new or repeated issues, or concerns that technological security measures are not protecting the personal data”; e “the cost of measures to mitigate any risk, issue or harm”; e “the public interest in regulatory action being taken (for example, to provide an effective deterrent against future breaches or clarify or test an issue in dispute)”.++ 2.36. The RAP explains that, as a general principle, “more serious, high- impact, intentional, wilful, neglectful or repeated breaches can expect stronger regulatory action”.13 2.37. Pages 24-25 of the RAP identify the circumstances i which the issuing of a Penalty Notice will be appropriate. They explain, inter alia, that i “ considering the degree of harm or damage we may consider that, where there is a lower level of impact across a large number of individuals, the totality of that damage or harm may be substantial, and may require a sanction.” The RAP stresses that each case will be assessed objectively on its own merits. However, i explains that, i accordance with the Commissioner’s risk-based approach, a penalty i more likely to be imposed in, inter alia, the following situations: 1 RAP, pages 6-7 and 10. 1 RAP, pages 10-11. 1 RAP, page 12. 16 e “a number of individuals have been affected”; e “there has been a degree of damage or harm (which may include distress and/or embarrassment)”; and e “there has been a failure to apply reasonable measures (including relating to privacy by design) to mitigate any breach (or the possibility of it)”. 2.38. The process the Commissioner will follow i deciding the appropriate amount of penalty to be imposed i described from page 27 onwards. In particular, the RAP sets out the following five-step process: a. Step 1. An ‘initial element’ removing any financial gain from the breach. b. Step 2. Adding i an element to censure the breach based on its scale and severity, taking into account the considerations identified at section 155(2)-(4) DPA. c Step 3. Adding i an element to reflect any aggravating factors. A list of aggravating factors which the Commissioner would take into account, where relevant, i provided at page 11 of the RAP. This list i intended to be indicative, not exhaustive. d. Step 4. Adding i an amount for deterrent effect to others. e. Step 5. Reducing the amount (save that i the initial element) to reflect any mitigating factors, including ability to pay (financial hardship). A list of mitigating factors which the Commissioner would take into account, where relevant, i provided at page 11-12 of the RAP. This list i intended to be indicative, not exhaustive. 3. CIRCUMSTANCES OF THE FAILURE: FACTS Marriott’s acquisition of the Starwood network 3.1. Marriot acquired Starwood i September 2016. During the acquisition process, Starwood shareholders received 0.8 shares of Marriott, as well as $21 per Starwood common stock. After the acquisition, the Marriott and Starwood computer systems were kept 17 separate, and they remained separate throughout the relevant period. Marriott did, however, plan on integrating aspects of the Starwood network into the Marriott network over an 18-month period i order to create a single, unified network within Marriott’s security footprint. 3.2. Upon acquisition, but prior to decommissioning the Starwood network, Marriott made enhancements to the security of Starwood’s existing IT network. 3.3. During the acquisition process, Marriott states that i was only able to carry out limited due diligence on the Starwood data processing systems and databases.'* For the avoidance of any doubt, the Commissioner i not making any finding of infringement in respect of the period between Marriott’s acquisition of Starwood and the entry into force of the GDPR on 25 May 2018. Accordingly, the Commissioner has not determined whether or not i was possible for Marriott to conduct due diligence during a takeover. There may be circumstances i which in-depth due diligence of a competitor i not possible during a takeover. 3.4. This Penalty Notice concerns the extent to which, after the GDPR came into effect on 25 May 2018, Marriott adequately prepared the Starwood systems to protect personal data. In particular, i i necessary to assess whether the Attack disclosed a failure to ensure compliance with Articles 5.1(f) and 32 of the GDPR following its entry into force. The planned integration of the Starwood and Marriott networks 3.5. The integration of Starwood into the Marriott hotels group began following the acquisition. While this involved the transferring of data from the Starwood systems to the Marriott network, the systems accessed by the Attacker remained segregated from the Marriott network. 3.6. As a result, the Attack did not involve access to the wider Marriott network and the Attacker would not have had access to personal data that was processed only on non-Starwood systems. The planned migration and the decommissioning of the Starwood 1 See, for example, the representations served by Marriott i response to the Commissioner’s Notice of Intent (“Marriott's First Representatiopara 1.33. 18 systems was expedited by Marriott after discovery of the Attack and the decommissioning of the relevant Starwood systems was completed on 11 December 2018. The Attack 3.7. What follows i a summary of the key stages of the Attack. Pre-acquisition infiltration of the Starwood IT systems 3.8. The Attacker installed a web shell on a device within the Starwood network on 29 July 2014. This device was used to support an Accolade software application. That application was used by Starwood to allow employees to request changes to any content of Starwood's website. 3.9. The installation of a web shell on the server gave the Attacker the ability to remotely access the system, therefore allowing for the accessing and editing of the contents of that system. This access was exploited i order to install Remote Access Trojans (“RATS”) - malware which enables remote administrator control of the system. Administrator access allows a user to perform actions above that permitted by a normal user. As a result, the Attacker would have had unrestricted access to the relevant device, and any other devices on the network to which that administrator account would have had access. 3.10. On an undetermined date, the Attacker installed and executed “Mimikatz”. This i a post-exploitation tool which allows login credentials temporarily stored i the system memory to be harvested. I scanned the server for all the usernames and passwords stored i this manner i the system and allowed the Attacker to continue to compromise user accounts, which were secured using a mixture of single and multi-factor authentication.‘ These accounts were then used to perform further reconnaissance and, ultimately, to run commands on the Starwood reservation database, as described below. 3.11. On 15 April 2015, a file named “Reservation _Room_sharer.dmp” was created on a Starwood device. This file could have been created 1 Marriott’s First Representations, para 1.40 and page 63. 19 by the Attacker with a view to exfiltrating all the data contained i the table at once.® 3.12. On 21 April 2015, a file named “Consumption_Roomtype.dmp” was created. This file could have been created by the Attacker with a view to exfiltrating all the data contained i this table at once.!” 3.13. On 17 May 2016, a file named “reservation_Room_Sharer.dmp” was created. This file could have been created by the Attacker with a view to exfiltrating all the data contained i this table at once.*® 3.14. Following Marriott’s acquisition of Starwood, on 31 December 2016 or 1 January 2017,1° additional malware which searched devices for payment card data, known as “memory-scraping malware”, was installed on multiple Starwood Devices. Marriott believes, but cannot be certain, that this action was carried out by a different attacker to the one responsible for the actions described immediately above. The memory-scraping malware was executed on 10 January 2017 on eight property management systems, but the malware was not successful i collecting payment card data from any of the devices. The eight properties involved were not in the European Union. Continued Attack, post-acquisition and following the GDPR coming into force 3.15. On 7 September 2018, the Attacker performed a “count” on the “Guest_Master_profile” table, which would have told the Attacker how many rows the table contained. 3.16. This count triggered an alert on the Guardium system placed on the database (“the Guardium Alert”). Such alerts were applied to tables which included card details.2° The other tables mentioned above did not contain payment card information and were not protected by Guardium software. Thus, no alarm could be triggered by the actions of the Attacker. 1 Marriott’s First Representations, page 63. 1 Marriott’s First Representations, page 63. 1 Marriott’s First Representations, page 63. 1 Marriott has also provided the alternative date of 1 January 2017 for this installation (see Marriott’s Second Representations, page 37). 2 “Guardium” i a data protection software produced by IBM. 203.17. The Attacker also exported the “Guest_Master_profile” table into a “dmp” file (as had previously occurred i relation to the other tables referred to above). Discovery and reporting of the breach 3.18. On 8 September 2018, Accenture, the company managing the Starwood Guest Reservation Base, contacted Marriott’s IT team regarding the Guardium alert of the previous day. This was the first Guardium alert relating to the Attack that Marriott had received since its acquisition of Starwood. 3.19. On 10 September 2018, the “PP_Master” table was exported to a “dmp” file on the Starwood system. 3.20. Following the Guardium alert, on 9/10 September 2018, Marriott instigated its Information Security and Privacy Incident Response Plan. On 12 September 2018, Marriott began to deploy real-time monitoring and forensic tools on 70,000 legacy Starwood devices. The purpose of this measure was to monitor the local system and identify potentially malicious activity i real-time, with findings reported back to Marriott’s central monitoring server. 3.21. On 15/16 September 2018, Marriott identified further unauthorised activity from 7 July 2018, specifically the use of credentials of Accenture employees. 3.22. On 17 September 2018, the presence of a RAT was identified. Marriott took action to contain the RAT, by blocking the command- and-control IP addresses used by the RAT. 3.23. In early to mid-October 2018, the Attacker’s use of Mimikatz ona number of occasions since 2014 was identified, as was the memory- scraping malware, referred to i paragraph 3.14. On 29 October 2018, Marriott contacted the United States Federal Bureau of Investigation. 3.24. On 13 November 2018, two compressed, encrypted and previously deleted files were identified. These files were named “guest_master_profile” and “pp_master”. On 19 November 2018, the aforementioned files were decrypted, and i was found that they respectively contained an export of the Guest_Master_Profile table and the PP_Master table. 213.25. On 22 November 2018, Marriott notified the Commissioner of a personal data breach. 3.26. On 25 November 2018, Marriott discovered that a file named “Reservation_room_sharer.dmp” had been created on a Starwood device, and on 26 November 2018, Marriott identified a second file named “Reservation_room_sharer.dmp” which had been created on a Starwood device, and _ established that a file mamed “consumption_roomtype.dmp” had also been created. 3.27. On 30 November 2018, Marriott provided a follow-up report to the Commissioner regarding further personal data breaches. On the same day, Marriott issued a press release about the Attack and established a dedicated Starwood incident website. Marriott also began sending email notifications to affected data subjects on 30 November 2018. In the initial email notification to data subjects, Marriott informed them that a dedicated call centre had been set up i order to receive complaints. The email notification did not provide the telephone number for the call centre, however i did contain a link to the dedicated website, which included the telephone number of the call centre. Following telephone contact between the Commissioner’s office and Marriott, the email was updated to include the telephone number for the call centre, and Marriott sent the revised version on 9 December 2018.2! 4.PERSONAL DATA INVOLVED IN THE FAILURE 4.1. The Attacker appears to have obtained personal data i both encrypted and unencrypted forms. The unencrypted information included: a. On the “Guest_Master_Profile_table” file: a numerical identifier to identify the guest, guest name, gender, date of birth, whether the guest has been identified as a VIP, whether the guest i a member of the Starwood loyalty programme and their account information (“SPG”), mailing address, passport country code, phone number, fax number, email address, and credit card expiration date. 2 Marriott First Representations, page 65. 22 On the “reservation_room_sharer_table”: a central reservation confirmation number, a unique numerical room identifier, guest name, SPG account information, whether the guest has been identified as a VIP, a separate VIP code, 5.25 million unencrypted guest passport numbers (935,000 of which were passports associated with EEA member state records), country of guest’s passport, arrival time, departure date, address, phone and fax numbers, email address, whether the guest has checked in, flight number and airline code, and the total number of guests i the room. On the “consumption_room_type_table”: a reservation confirmation number, the Guest Master profile ID, a unique numerical room identifier, room type, number of child guests, number of adult guests, number of cribs used i the room, number of rollaway beds designed for adults and the number of rollaway beds designed for children, guest arrival date; On the “PP_master_table”: the passport number record specific decryption key. Marriott considers that this would not be sufficient to decrypt the passport numbers as a master encryption key i also required, and does not appear to have been obtained by the attackers. 4.2. The encrypted information was as follows: a. 18.5 million encrypted passport numbers, 4,290,000 of which were associated with EEA member state records. 9.1 million encrypted payment cards, 873,000 of which are associated with EEA member state records.2? 4.3. Marriott’s estimate i that 339 million guest records were affected. Of these, 30.1 million were EEA records,** of which 7 million are associated with the United Kingdom. All data subjects who were affected pre-GDPR were also affected by the actions of the Attacker post-GDPR, as the entire contents of the affected tables were exported to “dmp” files on the Starwood system each time. 2 Marriott’s First Representations, page 65. 2 Marriott’s First Representations, page 65. 2 Marriott’s First Representations, page 65. 23 However, the specific personal data involved differed between individual data subjects. 5. PROCEDURE 5.1. This section summarises the procedural steps the Commission has taken. The Annex to this Penalty Notice provides a more detailed chronology. 5.2. Marriott notified the Commissioner of the Attack on 22 November 2018. In response, the Commissioner commenced an investigation into the incident. That investigation included various exchanges with Marriott and considering detailed submissions and evidence. 5.3. On 5 July 2019, the Commissioner issued Marriott with a Notice of Intent to impose a penalty, pursuant to section 155(1) DPA and Schedule 16 of the DPA (the “NOI”). The proposed penalty was £99,200,396.00. 5.4. Marriott made written representations in response to the NOI on 23 August 2019, which are referred to i this Notice as “Marriott’s First Representations”. Marriott did not request an opportunity to make oral submissions. 5.5. Between August and October 2019, Marriott and the Commissioner exchanged correspondence about a number of issues, including (a) the application of the Commissioner’s Draft Internal Procedure, which i discussed further below; (b) the application and/or operation of the Article 60 GDPR consultation process; and (c) Marriott’s request for further opportunities to make submissions or representations prior to and during the Article 60 process. 5.6. In a letter dated 6 December 2019, the Commissioner: a. confirmed that she no longer intended to exercise her discretion to convene the Panel; b. confirmed that the Draft Internal Procedure would not be taken into account in setting any penalty imposed on Marriott, having considered the detailed representations Marriott had made on this issue i its First Representations. The letter confirmed that the Commissioner would continue to apply the EU and domestic 24 legislative framework i conjunction with the Regulatory Action Policy; c outlined how the Article 60 consultation process would be conducted i this case; and d. agreed to give Marriot the opportunity to make _ further representations on the Commissioner’s draft decision i Marriott agreed to extend the six-month period for the issuing of a penalty notice prescribed i paragraph 2 of Schedule 16 of the DPA. The Commissioner proposed a new deadline of 31 March 2020. 5.7. The Commissioner’s position on these issues was informed, i particular, by careful consideration of Marriott’s First Representations. Given the length and detail of those representations and the overall complexity of the case, that consideration took time and considerable resources. That process also resulted in changes and clarifications to the form and content of the draft decision. 5.8. The Commissioner was also especially mindful of the fact that she acted as lead supervisory authority pursuant to Article 60 GDPR i this case, and that i was therefore important that her investigation and decision be as comprehensive as possible, since the draft decision must be submitted for the consideration of other supervisory authorities pursuant to Article 60(3). 5.9. Although not required by law, the Commissioner considered that a further opportunity for Marriott to make representations was appropriate, provided that an agreement could be reached on extending the statutory timetable having regard, i particular, to: ( the complexity of the case, (ii) Marriott’s representations, and (iii) the fact that this i one of the first major decisions made under the new EU data protection regime. 5.10. Following further correspondence, Marriott confirmed on 17 December 2019 its agreement to a statutory extension of time to 31 March 2020. On 20 December 2019, the Commissioner provided Marriott with a draft decision, and invited i to make further written representations and to provide any other relevant evidence i wished the Commissioner to take into account. 255.11. On 31 January 2020, Marriott provided further detailed written representations on the Commissioner’s draft decision (“Marriott’s Second Representations”). 5.12. On 12 February 2020, the Commissioner wrote to Marriott requesting further information and documents which arose from her consideration of the Second Representations. 5.13. In the light of the length and complexity of the Second Representations, on 13 February 2020 the parties agreed a further statutory extension of time until 1 June 2020. 5.14. Between 28 February 2020 and 28 April 2020, Marriott provided the Commissioner with the information she had requested on 12 February 2020. 5.15. On 3 April 2020 the Commissioner invited Marriott to make further representations specifically i respect of the financial impact on its business caused by the Covid-19 pandemic. Marriott provided a response to this request on 17 April 2020. 5.16. Due to the impact of the Covid-19 pandemic, on 17 April 2020 the parties agreed a further statutory extension of time for the issuing of a penalty notice to 30 September 2020. 6. CIRCUMSTANCES OF THE FAILURE: BREACHES Marriott’s failures 6.1. The Commissioner’s conclusion i that between 25 May 2018, when the GDPR entered into force, and 17 September 2018, Marriott failed to comply with its obligations under Article 5(1)(f) and Article 32 GDPR. Marriott failed to process personal data i a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 GDPR. 6.2. This section describes the specific failures to comply with the GDPR that the Commissioner has found and responds to Marriott’s First and Second Representations on the Commissioner’s NOI and draft decision. 26 The relevant standard 6.3. As set out above, Article 5 GDPR requires that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The data controller, in this case Marriott, i responsible for, and must be able to demonstrate compliance with, that requirement. 6.4. Article 32 GDPR concerns the security of processing personal data and, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, requires a controller to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Such measures may include encryption of personal data and a process for regularly testing, assessing and evaluating the effectiveness of such technical and organisational measures.2° 6.5. Not every instance of unauthorised processing or breach of security will necessarily amount to a breach of Article 5 or Article 32. The obligation under Article 5 GDPR i to ensure appropriate security; the obligation under Article 32 i to implement appropriate technical and organisational measures to ensure an appropriate level of security, taking account of the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk to the rights of data subjects. 6.6. When considering whether there has been a breach of the GDPR and whether to impose a penalty, the Commissioner must therefore avoid reasoning purely with the benefit of hindsight. The focus should be on the adequacy and appropriateness of the measures implemented by the data controller, the risks that were known or could reasonably have been identified or foreseen, and appropriate measures falling within Article 5 and/or Article 32 GDPR that were not, but could and should have been, i place. 2 See also Recitals 76, 77 and 83 GDPR. 2/6.7. Having carefully examined the available evidence, including the evidence and submissions from Marriott and Marriott’s Representations, the Commissioner i satisfied that there were multiple failures by Marriott to put i place appropriate technical or organisational measures to protect the personal data being processed on Marriott’s systems, as required by the GDPR 6.8. The NOI and draft decision identified a number of failures by Marriott to put i place appropriate security measures. Following careful consideration of the detailed representations received from Marriott, four principal failures by Marriott are now the subject of this Penalty Notice, which are outlined below. Preliminary issue: revised scope of the findings made 6.9. In the NOI and the draft decision, concerns were raised in relation to the gaps which the Attack identified i the application of multi- factor authentication (“MFA”) within the relevant Starwood network. The Attacker was able to access the Starwood Cardholder Data Environment (“CDE”) because MFA was not applied to a accounts and systems with access to the CDE. 6.10. Marriott has explained that: a. i believed that MFA was i place across the CDE because i had received assurances from Starwood’s management to this effect;2° and b. this belief was corroborated by two Reports on Compliance (“ROCs”), issued by independent PCI DSS?’ assessors on 29 April 2016 (pre-acquisition) and 23 May 2017 (post- acquisition), which stated that MFA was i place for anyone requiring access into the segmented CDE and was enabled on the jump-server v ia 2° Marriott placed particular reliance i its representations on 23 May 2017 report. 6.11. Having considered, i particular, Marriott’s Second Representations i response to the draft decision,*? the Commissioner i satisfied that Marriott did not breach its obligations under the GDPR by 2 Marriott’s First Representations, para 1.40(a). 2 Payment Card Industry Data Security Standard (“PCI DSS”). 2 Marriott’s First Representations, para 1.40(b). 2 Marriott’s Second Representations, paras 3.2 - 3.7 and 3.20-3.24. 28 relying upon the ROCs (in particular, the ROC issued i May 2017) issued by the PCI DSS assessors to conclude that access to the CDE was protected by MFA (albeit erroneously). The incomplete implementation of MFA i not therefore the subject of this Penalty Notice (and consequently was not taken into account i assessing the appropriate penalty). The four principal failures 6.12. Taking into account the representations made by Marriott,*° the following four principal failures are the subject of this Penalty Notice. (1) Insufficient Monitoring of Privileged Accounts 6.13. As explained above, the Attacker was able to obtain access to the CDE by exploiting an unknown gap i the scope of application of MFA. This failure to secure the ‘outer ring’ of the CDE i not the subject of this Penalty Notice. Instead, i i of concern that once the Attacker gained access to the CDE, appropriate and adequate measures were not i place to allow for the identification of the breach and to prevent further unauthorised activity (including further unauthorised processing of personal data). This concern arises first i respect of Marriott’s failure to put i place appropriate Ongoing monitoring of user activity, particularly activity by privileged accounts. 6.14. Marriott had itself determined that there was insufficient monitoring o p rivleged u sr a ccount| Whilst Marriott did deploy a Security Operations Centre (“SOC”) P E , this was insufficient for the reasons given at para 6.23 below. 6.15. The National Cyber Security (“NCSC”) guidance, published on 17 November 2018, entitled “10 Steps to Cyber Security: Guidance on how organisations can protect themselves in cyberspace, including the 10 steps to cybersecurity", lists “monitoring” as one of the relevant steps. I explains the importance of monitoring to detecting 3 See,for exampleMarriott’s SecRepresentationparas2.2(b)-(c3.1(b)3.8-3.13and 3.25-3.29. ee 29 or responding to attacks which have already taken place or commenced: Detect attacks: Either originating from outside’ the organisation or attacks as a result of deliberate or accidental user activity. Attacks may be directly targeted against technical infrastructure or against the services being run. Attacks can also seek to take advantage of legitimate business services, for example by using stolen credentials to defraud payment services. React to attacks: An effective response to an attack depends upon first being aware than an attack has happened or is taking place. A swift response is essential to stop the attack, and to respond and minimise the impact or damage caused. Account for activity: You should have a complete understanding of how systems, services and information are being used by users. Failure to monitor systems and their use could lead to attacks going unnoticed and/or non-compliance with legal or regulatory requirements.?2 6.16. The NCSC guidance also explains that monitoring activities should include, inter alia, the monitoring of network traffic and user activity. This NCSC guidance builds upon earlier guidance published by the NCSC which i to similar effect. See, for example, the NCSC guidance entitled “Introduction to identity and access management” published i January 2018? which refers to: (a) “basic principles to follow when designing user access management”; and (b) “basic architectural good practice when designing and administering access management systems”. Such basic principles and practices include “operations and monitoring - the supporting processes and technology to identify and enable investigation of breaches of policy or controls”. The guidance explains that: Given the high value to an attacker of compromising your identity and access management systems they should be given priority for security maintenance. This means, amongst other things, prompt application of security patches across your estate (or otherwise mitigating security issues), practicing good user and privileged user management, and 3 https: //www.nesc.gov.uk/collection/10-steps-to-cyber-security ?curPage=/collection/10-steps- to-cyber-security/the-10-steps/monitoring 3 https: //www.ncsc.gov.uk/quidance/introduction-identity-and-access-management 30 applying appropriate protective monitoring. Additionally, we recommend: e designing your access control systems to allow for easy monitoring of account usage and accesses e being able to tie all user actions in the system to the user that performed them...” 6.17. Both examples of NCSC guidance detail the basic need for multiple security techniques, processes and technologies i order to secure systems. Accordingly, Marriott ought to have been aware of the need to have multiple layers of security i place i order to adequately protect personal data. Although Marriott had assured itself that i had MFA i place** (which, as explained above, the Commissioner accepts that Marriott did), and had certain additional security measures i place, this was not sufficient. Marriott ought to have had i place better monitoring of user activity to aid i the detection of an attack, as an additional layer of security. 6.18. A forensic report into the incident, dated 11 April 2019, was commissioned by Marriott and prepared by Verizon (the “Verizon Report”). I notes that Marriott had not configured logging i respect of “access to systems and/or applications within the CDE.”?° Marriott did have the results of the ROCs and its own annual penetration tests. However, these did not evaluate’ the appropriateness of the way i which Marriott monitored (including through logging) the Starwood system or the configurations used for any such monitoring (including logging). Logging configurations are not within the scope of these tests. This i not a criticism of the ROCs or the penetration tests themselves. Rather i reflects the fact that Marriott ought to have taken steps to irmplement measures which would identify vulnerabilities which the ROCs and penetration tests would not identify. Such steps would include the implementation of effective monitoring (including logging) and alerts as part of Marriott’s wider security measures. This i the gap identified by the Verizon Report. 6.19. In this case, appropriate monitoring would have included the appropriate logging of user activity, especially i relation to privileged users. The logging of user activity once within the CDE, i 34 Contrary to, for exampara 3.6 of Marriott’s SecRepresentations. 3 Verizon Report, page 18. 31 addition to the logging done by the Guardium software, would have aided i the detection of unusual account activity (such as where, i this case, the Attacker regularly utilised legitimate accounts to perform unauthorised user activity within the CDE). Marriott's failure to log user activity i this way was inconsistent with its obligations under the GDPR. 6.20. Marriott states that “no amount of logging would necessarily have identified an attacker unless the attacker operated from an identified suspicious IP address, which is not the case in this matter.’*© I i right to say that no security measure “would necessarily” work, there being no guarantee that any security measure i wholly effective. I i also true that i i harder to detect an attacker who i not operating from a suspicious IP address. However, this i precisely why the monitoring of legitimate user accounts (including through logging) within the network for unusual activity i vital. This i recognised by the NCSC, which states i relation to monitoring: “these solutions should provide both signature-based capabilities to detect known attacks, and heuristic capabilities to detect unusual system behaviour".?’ (2) Insufficient Monitoring of Databases 6.21. In addition to the insufficient monitoring of user accounts and the user activity linked to those accounts, Marriott failed to adequately monitor the databases within the CDE. In this respect, the Commissioner i concerned by the following three failures: (a) deficiencies i Marriott’s setup of security alerts on databases within the CDE; (b) the failure to aggregate logs; and (c) the failure to log actions taken on the CDE system, such as the creation of files and the exporting of entire database tables. 6.22. Marriott deployed IBM Guardium to monitor activity on the database within the CDE. As configured by Marriott, IBM Guardium had two functions. First, i logged activity (such as efforts to create, read, update, or delete data within a database). Secondly, i issued alerts i certain circumstances. The problems with the approach adopted are as follows. ° Marriott’s Second Representations, para 3.39. 3 NCSC “10 Steps to Cyber Security” Guidance, dated2018:ovember https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps/monitoring 326.23. With respect to logging, there were two main problems: a. First, whilst Marriott had a security incident event management system (“SIEM”) and a SOC to collect the logs being generated by the system, Marriott did not ensure sufficient logging of key activities such as user activity or actions taken on a database. The insufficient logging rendered the SIEM and SOC ineffective. Marriott also insufficiently logged i other areas of its network, such as firewall and access logs. b. Second, Marriott did not engage i server logging of the creation of files (or alternatively i did not use the IBM Guardium software i a similar way), which allowed the Attacker to export entire databases to ‘dmp’ files undetected. Such logging i likely to have been feasible for Marriott as such mass export of data does not regularly occur within the normal course of business so as to generate an unhelpful number of false-positives. This form of logging on the system, and the evaluation of the created logs, could have enabled Marriott to detect unexpected activity within the CDE. 6.24. In response to the concerns raised, Marriott has referred to its use of Proventa and McAfee’s IntruShield (two systems which generate and aggregate logs).*® These are not, however, sufficient to address the risks faced by the Starwood network. McAfee’s Intrushield aids in the detection of zero-day, DoS attacks, spyware, malware, botnets and VoIP threats, while Proventia operated as an intrusion detection system. Like Proventa, IntruShield does not address the shortcomings identified above, namely the failure to monitor database activity and user actions on network devices. 6.25. Marriott stated i its First Representations, and the Commissioner agrees, that such logging would not have prevented the Attack i of itself, but “merely informs a response once the system operator is aware of the malicious activity”.7° However, regular and close monitoring and evaluation of logs can assist i the early detection of attacks, their mitigation, and the prevention of future attacks. That Marriott did not detect the Attack until alerted by Guardium i 3 Marriott’s Second Representations, para 3.40. 3 Marriott’s First Representations, para 1.61. 33 indicative of Marriott failing regularly to test, assess, and evaluate the effectiveness of its security measures. 6.26. With respect to the Guardium alerts, the problem was that the circumstances i which IBM Guardium would issue alerts were limited i a way which undermined its ability to detect unauthorised activity within the databases. 6.27. In particular, alerts were only placed on tables that contained payment card information, and only specific queries (where table names were directly referenced, such as i a count) triggered warnings i the system. Although the database as a whole did have some protection from Guardium,*2 the known actions of the Attacker prior to 7 September 2018 did not meet the conditions for the triggering of an alert.*4 Marriott has explained that specific alerting rules and tables were chosen i order to reduce false- positives. However, this explanation i insufficient to justify an approach where only tables including payment card data were placed within the scope of Guardium rules. Marriott’s focus on payment card information illustrates a failure to implement appropriate technical and organisational measures to ensure an appropriate level of overall security for all other personal data. 6.28. A risk-based approach was required i this case (as acknowledged i para 1.45 of Marriott's First Representations). Payment card data i likely to be the highest risk category, and the tables containing payment card data could therefore warrant higher security than other tables depending on the sensitivity of the other data held. However, while a risk-based approach may require payment card data to have additional security alerts, this does not justify a complete lack of alerts on tables containing other personal data. Moreover, the other data held may vary i its sensitivity, requiring different security measures to be applied to the tables/relevant processing. 6.29. Marriott stated that i reasonably assumed, based upon the PCI DSS testing results, that the Guardium alerts i respect of the CDE were appropriately configured.*2 However, the PCI DSS tests concerned 40 Namely i terms of detecting unauthorised access based on IPs or failed login attempts, which the Attacker i this incident bypassed through comprouser credentials. + As confirmed by Marriott in its correspondence dated 20 D2018, page 6. 4 Marriott’s First Representations, paras 1.43-44. 34 the perimeter defences against an attack rather than monitoring systems concerned with the detection of an attacker who had already penetrated the CDE. The tests did not assess the appropriateness of the discriminatory application of the alerts across the CDE segment, nor what this meant for the security of categories of personal data stored i tables which did not contain payment card information. They do not, therefore, provide the reasonable assurance which Marriott claims. 6.30. Finally, Marriott suggested that because i believed MFA was implemented across the CDE, this rendered its reliance on that authentication tool and the Guardium alerts as _ configured reasonable and therefore i compliance with Articles 5(1)(f) and 32 GDPR. This i not accepted, monitoring (including logging) of the types discussed i paras 6.13 to 6.29 above are standard security measures. Control of access through MFA does not displace the need for adequate monitoring (including logging) of activities that assist i detecting a breach once i i i train (see paras 6.15-6.17 above). (3) Control of critical systems 6.31. As discussed at paragraphs 6.13-6.30 above, Marriott failed to ensure that the actions taken on its systems were appropriately monitored. In addition to the use of monitoring and security alerts, i would have been appropriate for Marriott to implement a form of server hardening as a preventative measure, which could have prevented the Attacker from gaining access to administrator accounts and performing reconnaissance before traversing across a network. 6.32. In particular, the implementation of whitelisting i one way in which Marriott could have performed server hardening. Whitelisting i a form of programming which only allows certain users or IP addresses to access certain systems or software, as required for their specific role. I i important i reducing attack surfaces and reducing the risk of attackers being able to traverse through a network after gaining entry to a single user account. 6.33. Whitelisting should be deployed where appropriate on critical systems, and those systems which have access to large amounts of personal data. The NCSC Guidance states that: “you should develop a strategy to remove or disable unnecessary functionality from 35 systems.”*? Whitelisting i also described i NCSC Cyber Essentials guidance as a defence against malware.** This supports advice given i earlier guidance by NIST. In October 2015 NIST published a guide to whitelisting which shows how whitelisting can be utilised to prevent unauthorised software from being installed on a device.*° In this incident, whitelisting could have aided i halting the reconnaissance and privilege escalation stage of the Attack. 6.34. There are many forms of whitelisting. Binary software whitelisting i a form of access control where only authorised software and scripts can be installed on a given system or user areas. For example, only allowing pre-approved software such as Microsoft Word and Outlook to be installed on work laptops. This can be distinguished from other forms of whitelisting, such as the process by which only authorised IP addresses can gain access to network resources.*© Whilst i i not possible to list the devices i relation to which whitelisting could have been appropriate, at a minimum whitelisting would be expected on: (a) devices which could be remotely accessed; (b) devices which store large amounts or, or sensitive categories of, personal data; (c) any other systems which Marriott regards as ‘critical’ to their network operations; (d) any POS terminals at a property level; and any other devices which process payment card transactions.*”? The implementation of binary software whitelisting would — i correctly implemented - have prevented the installation and execution of a RAT. While i i true that the RAT was installed and executed on the system both pre-acquisition and pre-GDPR, and was therefore not attributable to Marriott, the continued absence of whitelisting post-GDPR left the systems for which Marriott was responsible vulnerable to further RAT installations and executions. 6.35. Marriott stated i its First Representations that binary software whitelisting was rarely implemented by companies at the time of the See https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps 44 NCSC Cyber Essentials GuidancRequirements for IT infrastructure (dated April 2020): https ://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure.pdf (pages 10- 11, under the heading “MalwaProtection”). This language was also included i the now archived version of this guidance, which dated from January 2015: https: //webarchive. nationalarchives. gov.uk/20150605225501/https://www.gov.uk/government/pu blications/10-steps-to-cyber-security -advice-sheets/10-steps-secure-configuration--11 45 https: //nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf (dated October 2015). See, i particular, section 2.1 on page 2. 4 See para 1.52 of Marriott’s First Representations. 47“Protecting Point of Sale Devices from Targeted Attacks” (Microsoft), dated 1 April 2014. https://download. microsoft.com/documents/en-us/Protecting_Point_of_Sale_Devices- April_2014.pdf. See, i particular, page 5. 36 incident, because i places a heavy burden on IT systems.*® However, binary software whitelisting was a well-recognised and established security practice for some time before the GDPR came into force, and certainly by that date. The NCSC Guidance lists whitelisting (“prevent unknown software from being able to run or install itself...") as a “Cyber Essential”. That guidance was published in October 2015, and therefore pre-dates the GDPR.*° In addition, there i guidance published by the National Institute of Standards and Technology (“NIST”), which recognises whitelisting as a better option than anti-malware.°° The NIST Guidance was published i 2015, and therefore significantly pre-dates the implementation of the GDPR. 6.36. Marriott also stated i its First Representations that binary software whitelisting could be circumvented by attackers ‘side loading’ RATS by using legitimate executable code.>! Whitelisting, like all security measures, cannot be entirely resistant to attack. However, where side-loading did take place i the Attack, that appears to have been because Marriott’s systems vaguely or improperly specified a dynamic-link library (DLL) which allowed such side-loading to take place.°* Whilst Marriott i right to suggest that these are risks which cannot be fully eliminated from any third-party software,>? this only highlights the fact that Marriott ought to have carried out regular audits, updates of software and restricted file and directory permissions. The existence of outdated/obsolete software i also an issue noted i both the 2017 and 2018 PCI DSS Reports, and these could have been mitigated by properly reacting to issues discovered i the penetration tests. 6.37. In any event, no single security measure can fully protect a system against attack or compromise. I would have been appropriate for Marriott to have implemented a ‘defence i depth’ strategy, of which whitelisting could play an important role, i order to protect their systems against attack and monitor activity on their network i 4 Marriott’s First Representations, para 1.53. 4 See: https: //www.ncsc.gov.uk/information/reducing-your-exposure-to-cyber-attack 5 See: https://www.ncsc.gov.uk/information/reducing-your-exposure-to-cyber-attacthend reference to “whitelisting and execution control - preventsoftware from being able to run or install itself.” 5 Marriott’s First Representations, para 1.53. allow side loading to take place.echniques/T1for an explanationof the vulnerabilities that 5 Marriott’s Second Representations, para 3.31. 37 order to promptly mitigate any unauthorised or malicious actions that managed to bypass their security controls. 6.38. The measures discussed above are readily available and mature solutions (i.e. solutions that have been known about i the industry for a long period of time), which are appropriate and could have been implemented by Marriott, to the extent necessary, without entailing excessive cost or technical difficulties. However, i i only suggested that whitelisting (or equivalent server hardening measures which would limit the functionality of systems to only that which i required of them) could be appropriately deployed on (a) critical systems which attackers may target whilst looking to access other, sensitive areas of the network, or (b) systems which could access other (separate) systems containing personal data. Therefore, i would be appropriate to implement a server hardening measure across devices with access to the CDE, the CDE environment itself and any other network devices that could access either large quantities or sensitive categories of personal data. (4) Encryption 6.39. Payment card data and, i some cases, passport numbers, were encrypted by Marriott using AES-128, an industry standard encryption algorithm. Oracle databases (the Starwood reservation database included tables stored i an Oracle database) provided the functionality to encrypt table entries in this way, and i was Marriot’s responsibility to ensure this was configured correctly. 6.40. However, i keeping with Marriott’s focus on PCI DSS compliance, encryption was not applied to other categories of personal data. The Commissioner i particularly concerned that not all passport numbers were encrypted. 6.41. In its First and Second Representations, Marriott stated that i had adopted a mature and risk-based approach to cyber security by targeting its security efforts on the tables containing cardholder information.** In support of its position, Marriott relied upon a selective quotation from the NCSC Guidance i its written 54 Marriott’Representations,para 1.27 and 1.63,see also para 3.45 of Marriott’Second Representations. 38 submissions. However, the Commissioner notes that the full quote provides as follows: In some scenarios, the use of encryption to protect bulk data should be the norm. For example, where data is transmitted over the internet, stored on a laptop, or stored on removable media. However, encryption relies on good key management, and in some scenarios i is challenging to engineer a solution which makes meaningful use of encryption to protect personal data. This is sometimes the case in systems which are always online, where data needs to be available to query. In these scenarios, your systems architects and designers will need to think carefully about how encryption can be used in a meaningful way.” 6.42. However, Marriott has not provided any risk assessments which demonstrate the evaluative judgement i arrived at and the rationale for its approach to the encryption of personal data. On the contrary, Marriott has taken an inconsistent approach by encrypting some but not all passport numbers. In addition, while i may be true that cardholder information i of higher risk than other categories of personal data, this does not vitiate the risk to other categories of personal data. Thus, while the NCSC guidance quoted above, does not say that Marriott i required to implement encryption across all personal data, i does require Marriott to explain why i chose to selectively encrypt data.°® Even i Marriott reasonably believed that the CDE was protected by MFA, i was aware - or ought to have been aware - that no system i fully secure.>’ 6.43. Marriott, i its First Representations, also claimed that i would have been impractical for i to have encrypted any more personal data than i did.°° However a number of methods exist to facilitate the identification of the user to which a piece of data refers, so that decryption of personal data can take place quickly and when necessary. One method i through the use of a unique identifier (such as an UUID), which can aid i querying and decrypting individual pieces of data associated with individual customers where required i almost real-time. There are also Hardware Security ° See: https://www.ncsc.gov.uk/collection/protecting-bulk-pers(emphasis added). 5 Marriott’s Second Representations, para 3.46(c). 5 Marriott’s Second Representations, para 3.46(b). 5 Marriott’s First Representations, para 1.27(b). 39 Modules which Marriott could have utilised, encrypting data i near real time at its source and decrypting i at its destination. 6.44. In additionthe level of security that the encrcouldnhave achievedwas compromisedwithin the Starwooguest reservation databaseby a script, developby Starwood,which allowedfor AES-128 encrypted entries i a database table to be dec|ypted. | ee ee ee ee a e e SS 6 ee a a ee a a a a ee ee 6 ee a a a a a ee CSC 6 ee a ee agrees that i i unlikely that the attacker did run i the attacker sons of times,le the Commissioner wished, this could have been achieved i very little timeprocess.uld be run as an automated 6 Marriott’s Second Representations, para 3.46(a). 4oOMarriott’s wider arguments 6.48. In addition to the arguments referred to above, Marriott’s Representations raised a number of more general legal and/or factual arguments. This section addresses the following submissions made by Marriott: oy First, that the Commissioner had assessed the issue of breach without reference to “any clear standards”°! reasoned with the benefit of hindsight and regarded the fact that the Attack was successful as an indicator that the security measures were inappropriate.°* Marriott claims that the Commissioner has applied an “impossibly high standard of care”.°? Ss Second, that the Commissioner failed to apply a holistic approach. a Third, that the Commissioner impermissibly relied upon Marriott’s pre-GDPR conduct, and incorrectly concluded on a provisional basis that Marriott had failed to carry out sufficient and appropriate due diligence. Qo. Fourth, that the Commissioner erred i referring to Article 25 GDPR i the NOI.® @ Fifth, that the Commissioner erred i reaching the provisional view i the NOI that Marriott had breached the notification requirement under Article 33 of the GDPR.°” 6 Marriott’s First Representations, paras 1.3-1.7. 6 Marriott’sFirstRepresentations, paras 1.8-1.12. See, to similareffect,Marriott’sSecond Representations,Executive Summary, para 3, and para 3.1(b), and paras 3.15-3.18. 6 Marriott’s First Representations, Executive Summapara 1; para 1.2, see also Marriott’s Second Representations, paras 3.14-3.18. 64 Marriott’s First RepresentatioExecutive Summary, paras land 5, and paras 1.13-1.15; and Marriott’s SecondRepresentations, para 2.2(c). 6 Marriott’s First RepresentatioExecutive Summary, paras 3-4, paras 1.18-1.20 and 1.29-1.37. 6 Marriott’s First Representations, para 1.21. 6 Marriott’s First RepresentatioExecutive Summary, para 7, and paras 2.1-2.10 and 2.16. At f. Sixth, that the Commissioner was wrong provisionally to find i the NOI that Marriott’s notification to data subjects breached Article 34 of the GDPR.® 6.49. In its First and Second Representations, Marriott also advanced a number of points i relation to: (a) the Commissioner’s approach to determining whether to impose a penalty; and (b) her methodology i calculating the proposed penalty as set out i the Notice of Intent and the draft decision. These arguments are addressed i Section 7 below. (1) The correct approach/standard 6.50. Marriott claims that: (a) the Commissioner’s factual findings were inaccurate; and/or (b) the Commissioner cannot maintain the conclusion that appropriate measures were available that Marriott failed to take to remove and/or mitigate the risk of an attack of the kind which occurred i this case because she had applied the incorrect standard or approach.®? 6.51. In the analysis set out above, the Commissioner has clarified certain factual findings made i the Notice of Intent i the light of the submissions made by Marriott i both its First and Second Representations, including by, i particular, clarifying her position i respect of the incomplete application of MFA. 6.52. Further, paragraphs 6.3-6.8 above, provide an accurate summary of the position on the relevant standard and set out the Commissioner’s response to Marriott’s argument that she applied an incorrect, unduly high, inappropriate or unclear standard i the NOI and/or draft penalty notice. The analysis set out i Section 6 above clearly explains the basis for the finding that Marriott failed to put i place appropriate security arrangements as required by the GDPR by reference to the specific facts of this case. Contrary to the claims made i Marriott’s First Representations, the Commissioner has not applied a one-size-fits-all approach to what measures are appropriate to secure different types of personal data.”° 6 Marriott’s First Representations, paras 2.11-2.15 and 2.16. RepresentationsExecutive Summary,,para 3.1.3—1.5 and 1.39-1.70; and Marriott’sSecond 7 Contrary to, i particular, paras 1.16-1.17 of Marriott’s First Representations. 426.53. As the Commissioner has set out above, and as she set out in the NOI, there were a number of appropriate measure(s) available to Marriott that an organisation of its scale would be expected to take to secure its data operations. Contrary to the claims made by Marriott, this Penalty Notice (nor the NOI/draft decision) do not proceed on the basis that simply because the Starwood system was the victim of the Attack, i follows that Marriott breached the GDPR.’! The reasoning supporting this Penalty Notice, and the NOI and draft decision, does not adopt such a simplistic approach. 6.54. For essentially the same _ reasons, contrary to Marriott’s submissions,’* the Commissioner’s findings do not involve applying the benefit of hindsight i an improper manner, or at a (as already explained above). The Commissioner i satisfied that there were four distinct weaknesses i Marriott’s system each of which Marriott ought to have identified and remedied, using one of the range of options available to Marriott (as discussed above). The Commissioner does not rely on the ‘success’ of the Attack as evidence that a breach of the GDPR definitely occurred. Instead, the Attacker’s ability to exploit deficiencies i Marriott’s security measures, for which remedies were available, discloses wider failures to put appropriate measures i place. In particular, the failure to encrypt all passport numbers was inadequate. There was also a failure to place Guardium alerts on tables other than those which contained payment information, thereby allowing the attack to go on undetected for a longer period. 6.55. At para 1.12 of its First Representations, Marriott also claims that there i no basis for the suggestion that, under the GDPR, i ought to have identified the type of Attack which i the subject of this Notice, or carried out any further improvements on the Starwood systems, because the system was the “victim of a sophisticated attacker, which adopted a multi-vectored approach to its attack and was able to circumvent numerous protections that were in place”. However, the sophistication or specific vector of the attack i not the relevant focus. A controller has to implement appropriate measures to ensure the security of its systems. The measures mentioned above could have been implemented using standard industry tools, and could have prevented, detected and/or mitigated the impact of 7 Marriott’s First Representations, §§1.8-1.9. 7 See, i particular, Marriott’s SRepresentations, paras 3.15-3.18. 43 the Attack. What the Attack disclosed was the failure by Marriott to put i place appropriate security measures to address attacks of this kind and/or other identifiable risks to the system. 6.56. Furthermore, Marriott was wrong to state’? that the fact that the relevant Starwood IT system was due to be retired shortly means that i was not necessary to put i place the types of appropriate measures identified above i order to comply with Articles 5(1)(f) and/or 32 GDPR. 6.57. In particular, Marriott relies on the fact that i originally intended to decommission the Starwood system i the first quarter of 2018 i response to the concerns raised about its security measures. I i important to note that the intended decommissioning was due to take place approximately a year and half after the acquisition of Starwood, a long period of time during which data continued to be processed on the system. In fact, the intended decommissioning did not take place i the first quarter of 2018; the timetable was altered such that i was only to be achieved by the end of 2018. Whilst the Commissioner accepts that Marriott could not have known about the delay to the decommissioning timetable at the outset,’* i early 2018 Marriott was aware that the GDPR was coming into force and that i would be continuing to process data within the Starwood network for a number of months after that. During this period, appropriate monitoring (including logging), and alerting tools could have been implemented relatively quickly i order to secure the systems until their decommissioning at the end of 2018. 6.58. Many of the measures identified i the discussion of the 4 principal errors above could have been easily implemented as part of the security improvements which Marriott was already making over this period. With regards to logging, the appropriate changes to what was i fact being logged could have been made as part of Marriott’s SIEM and SOC projects. No additional steps as part of the “general IT lifecycle process” would have been required.”° Similarly, changes to the Guardium alert settings could have been made relatively quickly and easily when IBM Guardium was deployed. The appropriate server hardening measures could have been 7 Marriott’s Second Representations, para 3.32-3.36. 7 Marriott’s Second Representations, paras 3.35-3.36. 7 Marriott’s Second Representations, para 3.38. 44 implemented within 6-12 months (depending on which measures Marriott selected and how i chose to implement them). 6.59. The fact that an IT system i due to be retired shortly does not disapply the GDPR to the data being processed through that system. Marriott was still obliged to decide what appropriate measures should be i place i the light of the continued use of the system. While the fact that a system i to be decommissioned may be a relevant factor i determining what measures would be appropriate i a given case, this ultimately does not remove the basic obligation to put i place security measures appropriate to the risk posed by the continued processing. This may mitigate against, for example, a requirement that a controller, even one of the size and scale of Marriott, put i place expensive, state-of-the-art measures, where the system i to be decommissioned i the near future. However, where other appropriate measures are available without entailing disproportionate cost or delay, they should be put i place i they are required to ensure a level of security appropriate to the risks posed by continued processing. As explained above, the specific measures identified i the discussion of the four principal errors above are all ones which could have been put i place i a short amount of time, and which would not have entailed excessive cost. (2) A holistic approach 6.60. The Commissioner has had regard to Marriott’s detailed submissions on the security measures i had i place generally, and those i implemented after its limited due diligence on the Starwood systems.’© However, the investigation has identified a number of appropriate measures or steps that should have been taken by Marriott to address the identified security risks within its system. The Attack, and/or other attacks which could have occurred as a result of the deficiencies i Marriott’s systems, identified above, mean that, even judged holistically, Marriott’s technical and organisational data security arrangements cannot be regarded as sufficient or appropriate. 6.61. The Commissioner has also considered Marriott’s submissions about the improvements made to Starwood’s systems post-acquisition, which are said to show that i engaged i appropriate due 7 See, i particular, para 1.35 and paras 1.39-1.70 of Marriott’s First Representations. 45 diligence.’”” However, i i notable that none of those steps identified the relevant, easily detectable, deficiencies i Marriott’s security, which could have been easily addressed but were exploited during the Attack. Marriott’s submissions i this regard focus on improvements i made to its own systems, and which the Starwood systems / data would benefit from when they were migrated to its network (paras 1.35(b)-(c) of Marriott’s First Representations). But this does not meet the concern that Marriott continued to use the Starwood system without remedying the clear deficiencies i its security arrangements. I i clear from Marriott’s Representations’® that only limited changes were made to the Starwood system because i was expected to be decommissioned sometime i the future. I i apparent that these changes were not sufficient to address the failings described above which should have been addressed given the ongoing processing that was to take place prior to decommissioning. (3) Pre-GDPR conduct and due diligence 6.62. Marriott i wrong to argue that the NOI relied upon Marriott’s failure to appropriately secure its systems and the personal data stored on them, prior to the period covered by the GDPR. The fact that no such reliance was placed on the pre-GDPR conduct was made clear i the NOI itself.7? 6.63. Marriott’s argument i this regard relies on the claim that any duty to undertake a due diligence process i one which would have to be discharged prior to or shortly after acquisition. Marriott submitted that i i not tenable to proceed on the basis that acquisition due diligence i a “seemingly endless” process.®° 6.64. While the Commissioner accepts that the acquisition of a company / data processing operations are a trigger for a controller to carry out due diligence, either immediately prior to acquisition or shortly thereafter, this i not the only trigger point for such activity. The need for a controller to conduct due diligence i respect of its data operations i not time-limited or a ‘one-off’ requirement. In 7 Marriott’s First Representations, paras 1.15 and 1.30-1.35. 7 See paras 1.34 and 1.35(d) of Marriott’s First Representations and paras 3.35-3.36 of Marriott’s Second RepresentationsSee also para 6.56 above. 7 Marriott’s First Representatparas 2.4-2.10;see also Marriott’s First Representparans, 1.20. 8 Marriott’s First Representations, para 1.20(a) and (b). 46 particular, the coming into effect of the GDPR was, for a global business like Marriott, a highly relevant factor. 6.65. Controllers such as Marriott would have been aware for some time that the GDPR was going to come into effect on 25 May 2018. I was incumbent on such controllers to ensure that their data processing complied with the provisions of EU law from that date. However, after May 2018 Marriott continued to process personal data using a system that was deficient i a number of respects, and those deficiencies only came to light following the discovery of the Attack some months later. 6.66. Given Marriott’s ongoing duty to ensure that the systems i had acquired from Starwood were GDPR compliant, i i no answer to claim that certain due diligence steps were, or only needed to be, taken i the period immediately after acquisition. Controllers cannot process personal data without appropriate security measures being i place on the basis that the system was deficient prior to May 2018 and has not been remedied. Even i adequate due diligence had been undertaken at the point of acquisition, that would not have removed Marriott’s obligation to ensure, on a continuing basis, that i complied with the GDPR, once that Regulation came into force. 6.67. Marriott recognises this, but relies upon inter alia its PCI DSS assessment process as the means by which this continuing obligation was discharged.®t However, PCI DSS assessments are limited i their ability to detect and mitigate vulnerabilities within a network, for the reasons given at paragraph 6.29 above. Rather, adequate and appropriate due diligence would have _ included reviewing the adequacy of the monitoring (including logging) systems within the network. 6.68. Thus, for the avoidance of any doubt, this decision relates solely to Marriott’s failures after 25 May 2018. The Commissioner has not issued a decision under the Data Protection Act 1998 (“DPA 1998”), despite the historic, pre-2018 nature of the concerns i respect of the Starwood system. 8 Marriott’s Second Representations, page 47. 47 () A ticle 25 6.69. The Commissioner acknowledges that the NOI, at para 58, included an erroneous reference to Article 25 GDPR. This was a typographical error. The penalty figure set out i the NOI did not take into account any breach of Article 25. (5) Article 33 6.70. At the NOI stage, a provisional finding of breach of Article 33 GDPR was proposed. However, this finding no longer forms part of the decision against Marriott. 6.71. In reaching this decision, the Commissioner did consider Marriott’s claims that ( the Commissioner failed to identify the date on which Marriott became aware of the breach;® and (ii) the Commissioner misapplied the GDPR rules on when a controller must be taken to be aware of a personal data breach.®? 6.72. However, i i not accepted that the NOI failed to identify the date on which Marriott became aware of the breach for the purposes of Article 33 GDPR. The Commissioner identified 8 September 2018 as the relevant date at para 52 of the NOI: “Marriott had been aware of unauthorised access to the Starwood systems since the Guardium alert on 8 September 2018... It would have been reasonable at that point for Marriott to conclude that personal data was likely to have been accessed by an unauthorised party.” The reference to the “dmp” files i para 53 of the NOI cannot reasonably be read as referring to the identification of the dmp files on 13 November 2018.4 Rather, this was a reference to the fact that on 7 September 2018 the Attacker exported the “Guest_Master_Profile” table - a table that Marriott knew to contain personal data - into a “dmp’” file. Marriott was alerted to the presence of the Attacker by Accenture on 8 September 2018, the day after this took place. 6.73. Marriott was also incorrect to submit that the GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the Commissioner. Rather, a data controller must be able reasonably to conclude that i i likely a 8 Marriott’s First Representations, -2, 3.2.1 8 Marriott’s First Representations, -2.11.2.4 8 Marriott’s First Representations, para 2.1. 48 personal data breach has occurred to trigger the notification requirement under Article 33. 6.74. Nevertheless, the Commissioner took into account, i particular, Marriott’s explanation that a count can be performed on a database without any of the personal data held on that database being accessed, and that Marriott’s position i that i was unaware of the export of the “Guest_Master_Profile” table into a “dmp” file (which took place on 7 September 2018) until 13 November 2018. ® The Commissioner has also taken into account Marriott’s submission that the “Guest_Master_Profile” contained non-personal data, and therefore i was only with decryption of that file on 19 November 2018 that i became aware of the personal data breach. 6.75. Thus, i this particular case, and i the light of Marriott’s Representations, the Commissioner has decided not to make a finding that Marriott breached Article 33 GDPR. (6) Article 34 6.76. The NOI contained a provisional finding of a breach of Article 34 GDPR. Marriott submitted detailed submissions i response to that proposal.® 6.77. The Commissioner recognises that Marriott established a dedicated website regarding the breach, and issued a press release which was widely-reported.®” Marriott claims in its Representations that a dedicated website and press release would have been sufficient for i to have discharged its obligations under Article 34.8° This i incorrect. 6.78. Article 34(1) requires Marriott to “communicate the personal data breach to the data subject” (emphasis added). Where this would involve “disproportionate effort”, Marriott may issue a public communication or similar measure (Article 34(3)(c)). Sending an email to data subjects whose current email addresses are stored on Marriott’s systems i not, on any view, a disproportionate measure. I i a routine commercial activity. This i supported by the fact that Marriott did inform the data subjects, via email, very soon after i 8 Marriott’s First Representations, paras 2.4-2.10. 8 Marriott’s First Representations, paras 2.11-2.16. 8 Marriott’s First Representations, para 2.12. 8 Marriott’s First Representations, para 2.14. 49 identified the breach. The Commissioner accepts that some data subjects will not have been contactable i that way; the most obvious example being individuals who had changed their contact details. In these cases, i may have involved a disproportionate effort to track those individuals down i order to communicate the breach and, for such individuals, Marriott will have discharged its duty by way of its press release and dedicated website. However, Marriott i not entitled to rely upon communications which are addressed to the world at large (such as its press release and website) as discharging its duties under Article 34(1) i relation to all data subjects. 6.79. The Commissioner i accordingly entitled to consider Marriott's direct communications (including emails) with the affected data subjects as the means by which Marriott sought to satisfy its obligations under Article 34 GDPR. 6.80. The email sent by Marriot referred to a “dedicated call centre”, this being a specific telephone line set up for affected data subjects to contact for further information, but i did not include the telephone number. The email, having communicated the “name” of the contact point, did not communicate the “contact details” of the point where more information could be obtained. While plainly not deliberate, these omissions to some extent undermined the effectiveness of the notification. 6.81. The Commissioner has taken into account the fact that the email contained a link to the dedicated website, which i turn provided the telephone number for the dedicated call centre,®? although the email itself did not. On this occasion, and i light of the information that Marriott did i fact provide to affected data subjects, this Penalty Notice does not include any finding that Marriott breached Article 34 GDPR. 7.REASONS FOR IMPOSING A PENALTY & CALCULATION OF THE APPROPRIATE AMOUNT 7.1. For the reasons set out above, the Commissioner’s view i that Marriott has failed to comply with Articles 5(1)(f) and 32 GDPR. These failures fall within the scope of section 149(2) and 155(1)(a) 8 Marriott’s First Representations, para 2.14(a). 50 DPA. For the reasons explained below, the Commissioner has decided that i i appropriate to impose a penalty i the light of the infringements she has identified. 7.2. In deciding to impose a penalty, and calculating the appropriate amount, the Commissioner has had regard to the matters listed i Articles 83(1) and (2) GDPR and has applied the five-step approach set out in her RAP. The imposition of a penalty i appropriate in this case 7.3. Both the RAP and Article 83 GDPR provide guidance as to the circumstances i which i i appropriate to impose an administrative fine or penalty for breaches of the obligations imposed by the GDPR. 7.4. Article 83(2) GDPR lists a number of factors that must be taken into account. These are each discussed i detail below i determining the appropriate level of fine, i accordance with the steps outlined i the RAP. The points made below are also relied upon i justifying the Commissioner’s decision to impose a penalty, i the light of the findings of infringement set out above. 7.5. The RAP provides guidance on when the Commissioner will deem a penalty to be appropriate.°° In particular, the RAP explains that a penalty i more likely to be imposed where, inter alia, (a) a number of individuals have been affected; (b) there has been a degree of damage or harm (which may _ include’ distress and/or embarrassment); and (c) there has been a failure to apply reasonable measures (including relating to privacy by design) to mitigate any breach (or the possibility of it). 7.6. As discussed in more detail below, each of those features i present i this case. Taking together the findings made above about the nature of the infringements, their likely impact, and the fact that Marriott failed to comply with its GDPR_ obligations, the Commissioner considers i appropriate to apply an effective, dissuasive and proportionate penalty, reflecting the seriousness of the breaches which have occurred. ° Pages 24-25, see para 2.37 above. 51Calculation of the appropriate penalty Step 1: an ‘initial element’ removing any financial gain from the breach*! 7.7. Marriott did not gain any financial benefit, or avoid any losses, directly or indirectly as a result of the breach. The Commissioner has not, therefore, added an initial element at this stage. Step 2: Adding i an element to censure the breach based on its scale and severity, taking into account the considerations identified at sections 155(2)-(4) DPA 7.8. Sections 155(2)-(4) DPA refer to and reproduce the matters listed i Articles 83(1) and 83(2). The nature, gravity and duration of the failure (Article 83(2)(a)) 7.9. Nature and gravity of the failures: The nature of the failures i of significant concern. As set out above, there were multiple measures that Marriott could have put i place that would have allowed for the detection of or mitigated the Attack insofar as i continued after 25 May 2018.°2 What the Attack shows i that during the relevant period Marriott was processing data on a system that had multiple security failings that were exploited by the Attacker and could have been exploited by others. 7.10. In Marriott’s submissions i has placed a great deal of emphasis on other security measures i had i place, criticising the NOI/draft decision for failing to look at the matter holistically.?? This criticism i misplaced. The Commissioner has carried out a holistic analysis of the relevant systems and security processes operated by Marriott. What that analysis showed was that the measures identified i section 6 above were appropriate to secure the CDE. Marriott’s implementation (or perceived implementation) of other security measures was not sufficient. I was appropriate for there to be ° Removing any financial gain the data controllerhave obtainedfrom the infringementi consistent with ensuring that the penalty i effective, proportionate and dissuasive (Article 83(1)), and has regard to Article 83(2)(whichrefers to “financial benefits gaor losses avoided, directly or indirectly, from the infringement. ” ° Marriott’s First Representations at para 3.2(a) have been considered and in section 6 above. ° Marriott’s Second Representations, para 2.2(c). 52 multiple layers of security i this case (for the reasons given at paragraph 6.17 above). 7.11. An extremely large number of individuals were affected by the breach, specifically, 339 million guest records, of which — for the purposes of this penalty - 30.1 million®* were guest records associated with EEA member states. Marriott has explained that the total number of affected guests i difficult to estimate from this figure as i may hold multiple records for an individual guest.°° Even taking into account that the true number of affected individuals may be 40% lower than initially estimated by Marriott,°° this i still a significant number of individuals. 7.12. The mitigating steps taken by Marriott will have gone some way to reassuring Marriott’s customers and therefore may have reduced or mitigated the distress that may otherwise have been caused by the data breach. The assurances given and the mitigating steps taken by Marriott are taken into account below. I i nevertheless likely that some of the affected individuals will, depending on their circumstances, still have suffered anxiety and distress as a result of the disclosure of their personal information (including payment card information?”) to an unknown individual or individuals. The Commissioner has considered i this regard the submissions made by Marriott i i Representations.°° She notes the following points: a. The Commissioner has not seen any evidence of financial damage and i not required to investigate the existence or otherwise of financial damage.°? In calculating the appropriate level of penalty, the potential existence of such damage has not been assumed or taken into account. b. I i possible that some individuals may have cancelled their payment cards. Contrary to Marriott’s submissions,!°° the Commissioner i not required to investigate or identify evidence of individuals actually cancelling their cards. In circumstances ° Marriott’s First Representations, page 65 ° See Marriott’s Second Representations, paras 2.4-2.6. % Ibid. ° Notwithstandingthe fact that there wano actual financial hato individuals, see Marriott’s Second Representations para 2.7(a)(i). ° Marriott’s First Representatipara 3.1(d) and Marriott’s SecoRepresentationsparas 2.7- 2.8, ° A paint emphasisedi Marriott’s First Representatipara 3.2(d)(ii)(A); and Marriott’s Second Representations, para 2.7(a)(i). 100 Marriott’s Second Representations, para 2.7(a)(iii). 53 where a large number of individuals have been informed that their data, including some credit card data have been compromised, the Commissioner considers i likely that some individuals will have taken this step. c The possibility that some individuals may have been prompted to cancel their payment cards i just one element of the overall assessment of whether the breaches of the GDPR were likely to cause distress. The act of cancelling a card may i and of itself only cause inconvenience. I i the reason why such action was necessary, the disclosure of personal information, that can cause distress amongst some. d. The fact that the Marriott call centre received 57,000 calls between 30 November 2018 and 31 May 2019 (7,500 of these being calls to EU-based call centres) i indicative of the potential level of concern amongst affected data subjects on learning of the breach and subsequently.*% e. Further, even i individuals opted not to cancel their credit cards, the Commissioner considers i likely that some individuals will have experienced distress at having their personal data exposed i a large-scale data breach. Marriott’s suggestion that distress will only arise i cases where they are advised by their banks to cancel their payment cards!° ignores the fact that a personal data (not just financial data) i of significance to individuals, a significance which i reflected i the legal protections afforded to that data under the GDPR. 7.13. Duration: Although the Attack itself spanned a four-year period, the infringements that the Commissioner relies on i this Notice occurred between 25 May 2018 (the date when the GDPR came into force) and 17 September 2018. The Commissioner considers this to be a significant period of time over which unauthorised access to personal data went undetected and/or unremedied.?°% 101 See further Step 5 below. 102 See Marriott’s SeconRepresentations,para 2.7(a)(iii), whii then contradictedby the statement i para 2.7(a)(iv), which suggests that card cancellation i merely an “inconveniencan” not, as suggestei sub-para (iii) a necessary componof a finding of distress. 103 Marriott’s First Representations at para 3.2(b) and Marriott’s Second Representations at para 2.3. 54 The intentional or negligent character of the infringement (Article 83(2)(b)) 7.14. The Commissioner has had regard to the guidelines provided by the Article 29 Working Party i relation to assessing the character of the infringement i issue. I explains that: . In general, “intent” includes both knowledge and wilfulness in relation to the characteristics of an offence, whereas “unintentional” means that there was no intention to cause the infringement although the controller/processor breached the duty of care which is required in the law. It is generally admitted that intentional breaches, demonstrating contempt for the provisions of the law, are more severe than unintentional ones and therefore may be more likely to warrant the application of an administrative fine. The relevant conclusions about wilfulness or negligence will be drawn on the basis of identifying objective elements of conduct gathered from the facts of the case...1° 7.15. The Commissioner recognises that the infringement was not an intentional or deliberate act on the part of Marriott. This has been taken into account i assessing whether a fine i appropriate i this case. 7.16. The Commissioner does, however, consider that Marriott was negligent (within the meaning of Article 83(2)(b) GDPR) i maintaining systems that suffered from the vulnerabilities and shortcomings identified i Section 6 above.!° 7.17. In making this determination, the Commissioner places some weight on the relevant context: a company of the size and profile of Marriott i expected to be aware that i i likely to be targeted by attackers, sophisticated or otherwise. Marriott must be aware that the nature of its business involves processing large volumes of personal data, including sensitive personal data. The risk of any compromise of that information may have significant consequences for Marriott’s customers and its own business. 104 Pp.11-12. 105 Marriott’s general claim at par2.9(b) of its SecoRepresentationrefers to its specific explanations i section 3 of those representations, which have been i section 6 above. 557.18. In view of these factors, the Commissioner: (a) would expect Marriott to have taken appropriate steps or a combination of appropriate steps to secure the personal data of its customers; and (b) considers that Marriott failed to comply with the standards imposed by the GDPR i failing to do so. Beyond this, the Commissioner has not treated the nature of Marriott’s conduct under Article 83(2)(b) as an aggravating factor i assessing whether to impose a penalty, or how much that penalty should be. However, she i obliged to take into account the character of the infringement under Article 83(2)(b). Thus, she does not consider that she has erred i “applying this factor”, as Marriott submitted i its First Representations.1% 7.19. Marriott relied upon the Article 29 WP Guidelines to argue that the draft decision failed to treat the fact that the breaches were not deliberate as a positive factor i favour i assessing whether to impose a fine.‘°” These Guidelines state that intentional breaches are more likely to warrant the application of a fine. Marriott submitted that i this i the case, the absence of intention must weigh in the controller’s favour. 7.20. I i unclear what additional weight Marriott considers the absence of intention should attract i this case. The mere recognition i the Article 29 WP Guidelines of the obvious point that a deliberate breach i more likely to result i certain consequences does not alter the fact that a penalty may be imposed for a breach of a different nature (and nor would i be consistent with Article 83 GDPR i fines only applied to deliberate conduct). The Commissioner has taken into account the fact that the breaches were not deliberate as part of her overall assessment (as Marriott recognises?°*). However, i circumstances where, as here, the breaches were negligent within the meaning of Article 83(2)(b), that fact must also be taken into account when assessing whether to impose a fine and, i so, at what level. 7.21. Marriott also criticised the Commissioner’s analysis as being duplicative because she had regard to, inter alia, the scale of Marriott’s processing operations i assessing whether its actions 106 Marriott’s Representations, para 3.3. 107 Marriott’s Second Representations, para 2.9(a). 108 Ibid. 56 were negligent under Article 83(2)(b), as well as i assessing whether i complied with Articles 5 and 32 GDPR.!°? While i i true that the Commissioner considered some of these factors when concluding whether there was a breach of Articles 5 and 32, these factors are relevant i both contexts. The issue of whether a breach has arisen, and the nature of Marriott’s responsibility for i are clearly related issues. Any action taken by the controller or processor to mitigate the damage suffered by data subjects (Article 83(2)(c)) 7.22. The Commissioner has carefully considered Marriott’s submissions to the effect that i could not discern from the draft decision how the mitigation action i took i response to the Attack has been taken into account because i was dealt with at this Step, rather than at Step 5.110 7.23. The Commissioner remains of the view that i makes no difference to the ultimate decision on what, i any, penalty to impose whether the action taken by the controller to mitigate the damage i taken into account here, or under Step 5 i this Penalty Notice. However, she has decided to consider this issue separately under Step 5 i this Penalty Notice. The degree of responsibility of the controller or processor (Article 83)(2)(d)) 7.24. As a controller, Marriott i responsible under the GDPR for the security of its systems and the protection of personal data stored within those systems. I i required by the GDPR to implement security measures to reduce the vulnerability of those systems, and the vulnerability of the personal data processed within those systems, to attack. While the entry of the Attacker into Starwood’s systems pre-dates Marriott’s acquisition of that company, Marriott had an ongoing duty to ensure the safety and security of the systems i was using to process personal data. 7.25. As i clear from Section 6 above, there were multiple deficiencies i the security measures i place i respect of the Starwood system, which Marriott continued to operate to process personal data after 109 Marriott’s Second Representations, para 2.9(c). 110 Marriott’s Second Representations, paras 1.9-1.10, and 1.34. 5/ the GDPR came into force. As a result, the Attacker was able to remain present and undetected i the system after 25 May 2018 until the triggering of the Guardium alert i September 2018. 7.26. The Commissioner therefore considers that, for the duration of the infringement on which this penalty i based, Marriott i wholly responsible for the breaches of Articles 5(1)(f) and 32 GDPR described above. 7.27. In its Representations, Marriott highlighted the fact that the NOI did not mention that Accenture provided i with third-party IT services.'!! In response to the draft decision, Marriott explained that i its view, the fact that i engaged Accenture to assist i the security management of the Starwood network should be taken into account i assessing Marriott’s responsibility for the Attack. 7.28. I i acknowledged that Accenture i an experienced provider of security services and that i provided services i relation to Marriott’s security environment. However, the fact that i was charged with implementing, maintaining or managing certain elements of the system does not reduce Marriott’s responsibility for the breaches of the GDPR that have been identified. In circumstances where Marriott accepts that i i the relevant data controller, and significant failures i its security measures have been identified, the engagement of third parties cannot reduce its degree of responsibility. 7.29, For the avoidance of doubt, however, in taking a holistic view of the security measures put i place, account has been taken of, for example, the fact that Guardium was i place and certain alerts were applied under that system (which Accenture monitored). 7.30. Finally, Marriott i correct to state in its Representations that the Article 29 WP Guidelines provide that “industry standards... are important to take into account” when assessing compliance with the GDPR. The Commissioner has taken into account Marriott’s detailed submissions on its compliance with PCI DSS standards, i particular i respect to the concerns which arose i respect of the application 111 Marriott’s First Representatpara 3.5, anMarriott’s SeconRepresentationsparas2.10- 2.11. 58 of MFA across the Starwood network.!!2 However, Marriott’s obligations under Article 5(1)(f) and Article 32 GDPR go beyond the requirements of the PCI DSS and extend to all personal data, not just cardholder information with which those standards are concerned. The fact that Marriott may have complied with certain industry guidance focusing on specific types of personal data does not obviate or reduce its responsibility for the security of all of the personal data i holds. Relevant previous infringements (Article 83(2)(e)) 7.31. Marriott has no relevant previous infringements or failures to comply with past notices. 7.32. Marriott claims that this fact should weigh positively i its favour, rather than neutrally.1t? The fact that Marriott has no relevant previous infringements i a matter that has been taken into account i the Commissioner’s decision whether to impose a penalty, and i her decision as to the appropriate level of that penalty. Degree of cooperation with supervisory authority (Article 83(2)(f)) 7.33. Marriott has cooperated fully with her investigation and this has been taken into account. Categories of personal data affected (Article 83(2)(g)) 7.34. The Commissioner has identified the relevant categories of personal data in Section 4 above. As noted there, the data included in some (but not all) cases unencrypted passport details, details of travel, and various other categories of personal information including name, gender, date of birth, VIP status, address, phone number, email address, and credit card data. Manner in which the infringement became known to the Commissioner (Article 83(2)(h)) 112 See Marriott’s First Representations, para 3.6 and MarriRepresentationspara 2.12 and Section 3. 113 Marriott’s First Representations, para 3.7. 597.35. Marriott notified the Commissioner of the Attack on 22 November 2018 and i considered to have complied with its obligations i this respect. Conclusion at step 2 7.36. Taking into account: (a) the matters set out i Sections 2-4 and 6 above; (b) the matters referred to in this section; and (c) the need to apply an effective, proportionate and dissuasive fine i the context of a controller of Marriott’s scale and turnover, the Commissioner considers that a penalty of £28 million would be appropriate, before adjustment i accordance with Steps 3-5 below and the application of the Commissioner’s Covid-19 policy. This amount i considered appropriate to reflect the seriousness of the breach and takes into account i particular the need for the penalty to be effective, proportionate and dissuasive. Step 3: Adding i an element to reflect any aggravating factors (Article 83(2)(k)) 7.37. The amount of the penalty, as identified at Step 2, may be increased where there are ‘other’ aggravating factors.'1+ In this case, the Commissioner does not consider there to be any other relevant aggravating factors. Thus, no adjustment i made to the penalty level determined at Step 2. Step 4: Adding i an amount for a deterrent effect on others 7.38. The Commissioner i under an obligation to impose a penalty which i “dissuasive”. The need for the penalty to be dissuasive in relation to Marriott itself i addressed by the analysis at Step 2. Having regard to the amount of the penalty identified under step 2, the Commissioner does not consider i necessary to increase the penalty further under Step 4 to dissuade others.!!° 7.39. The Commissioner i not aware of widespread issues of poor practice that may be particularly deterred by the imposition of a higher penalty. Given Marriott’s size and the scale of its operations, and the fact that the Commissioner has decided to impose a penalty that already takes those factors into account as part of the need to ensure that any penalty i proportionate, effective and dissuasive 114 Tn accordance with Article 83(2)(k) GDPR, section 155(3)(k) DPA. and page 11 of the RAP. 115 This makes redundant the points about this Step made by Marriott i i Representations. 60 and to reflect the seriousness of the breach, the Commissioner considers that no adjustment i necessary under Step 4. Step 5: Reducing the amount (save that i the initial element) to reflect any mitigating factors, including ability to pay (financial hardship) (Article 83(2)(k)) 7.40. As explained above, i principle, other relevant mitigating factors could be taken into account under Step 2 or Step 5 of the RAP. Previously the Commissioner considered such matters i the round under Step 2 of the RAP, taking into account the factors in Article 83 GDPR and section 155(3) DPA 2018. However, i the light of Marriott’s representations for the purposes of this Penalty Notice the Commissioner has considered the relevant mitigating factors under Step 5. 7.41. Following the guidance set out at page 11 of the RAP, and having considered Marriott’s Representations, the Commissioner has taken into account the following mitigating factors: a. Marriott had, prior to becoming aware of the Attack, confirmed in 2018 a new $19 million security investment for 2019, which raised Marriott’s budgeted spend for that year on security to $49.5million. Subsequent investment decisions i 2019 have raised Marriott’s forecasted IT security budget spend on IT security for 2020 to $108.5million; b. Marriott took immediate steps to mitigate the effects of the Attack and protect the interests of data subjects by implementing remedial measures; c Marriott cooperated fully with the Commissioner's investigation, including responding promptly to requests for information; d. Widespread reporting i the media of the Attack i likely to have increased the awareness of other data controllers of the risks posed by cyber-attacks and of the need to ensure that they take all appropriate measures to secure personal data; and e. The Attack and subsequent regulatory action has adversely affected Marriott’s brand and reputation, which will have had some dissuasive effect on Marriott and other data controllers. 617.42. More specifically, the Commissioner has taken into account the fact that, upon being alerted to the Attack, Marriott acted promptly to mitigate the risk of damage suffered by data subjects, by way of the following technical remedial measures: a. The deployment of real-time monitoring and forensic tools on 70,000 devices on the Starwood network; b. Implementing password resets; c Disabling known compromised accounts; and d. Implementing enhanced detection tools. 7.43. These measures should allow Marriott to prevent similar breaches i the future, including by identifying any additional attackers or malicious software being utilised on its servers. 7.44, The Commissioner has also taken into account the fact that Marriott also took steps to: (a) establish a notification and communication regime; (b) create a bespoke incident website i numerous languages; (c) send 9.2 million notification emails to data subjects whose country of residence was recorded i the Starwood Guest Reservation Database as being i the EU); (d) establish a dedicated call centre; (e) provide web monitoring to affected data subjects; (f) enhance its data subject rights programme; (g) engage with card networks; and (h) improve its technical and _ organisational measures generally.1?© I i also noted that Marriott informed a number of other regulatory and law enforcement agencies. 7.45. I i acknowledged that the steps outlined above will have gone some way to reassuring Marriott’s customers, and therefore may have reduced or mitigated any distress caused by the breach. However, the fact that the Marriott call centre received 57,000 calls between 30 November 2018 and 31 May 2019 (7,500 of these being calls to EU-based call centres)?!’ i indicative of the level of concern amongst affected data subjects on learning of the breach and subsequently.1!® 116 Marriott’s First Representations, para 3.4. 117 Marriott’s Second Representations, para 2.7(b)(ii). 118 Contrary to para 2.7(a)(b)(i) of MarriottRepresentations, i i not being suggested that all of those who called Marriott’s call centre were suffering from distrbut i i likely 627.46. Contrary to Marriott’s submissions,!+9 the fact that very few of these calls were escalated internally or resulted i a complaint i irrelevant. The information provided by Marriott suggests that call handlers had FAQs available to advise customers on how to respond to the breach etc, which was presumably intended to address most situations arising.!2° Thus, the fact that only a certain number of individuals had their calls escalated / resulted i a complaint does not provide any real indication of the extent to which individuals were distressed or harmed by the loss of their data. 7.47. Marriot also relied i this regard on a claim that the Commissioner’s findings of distress and harm were materially undermined because the centre only received 57,000 calls when millions of individuals were affected by the breaches.!*! However, i circumstances where: (a) Marriott had established a dedicated website to address concerns; and (b) individuals may have sought advice from third parties and/or acted on their own knowledge and experience, the comparison between these figures does not undermine the Commissioner’s findings. The number of calls i sufficiently large to suggest that there were data subjects who were concerned. 7.48. Thus, while the Commissioner has taken into account, as outlined below, the steps taken by Marriott to mitigate the impact of its breaches of the GDPR, she remains of the view that those actions would not have immediately neutralised all the concerns on the part of data subjects about their data being i the hands of criminals / outside of Marriott’s control. 7.49. Having regard to the mitigating factors set out above, i i appropriate to reduce the £28 million penalty by 20%, i.e. to £22.4 million. 7.50. As a result of the Covid-19 pandemic, Marriott has also argued that any penalty should be reduced because of the financial hardship i would cause. 7.51. The Commissioner has considered Marriott’s representations, and the evidence i has provided. Although the Covid-19 pandemic has that - as stated here - the majority of callers were at least sufficiently concerned to make the call, which i inconsistent with Marriott’s position that no or only trivial harm at all would have arisen. 119 Marriott’s Second Representations, para 2.7(b)(iii). 120 Marriott’s Second Representations, para 2.7(b)(iii). 121 Marriott’s Second Representations, para 2.7(b)(iv). 63 had a significant impact on Marriott’s revenues, Marriott’s overall financial position i such that the Commissioner does not consider that the imposition of a penalty i the range being proposed will cause financial hardship, or that Marriott will be unable to pay such a penalty. 7.52. However, the Commissioner has published guidance entitled “The ICO’s regulatory approach during the Coronavirus public health emergency”.'?2 That guidance indicates that “As set out in the Regulatory Action Policy, before issuing fines we take into account the economic impact and affordability. In current circumstances, this is likely to mean the level of fines reduces.” While the proposed penalty will not cause financial hardship for Marriott, the Commissioner considers i appropriate to reduce the penalty that would otherwise have been imposed, i light of the current public health emergency and associated economic consequences. This i addressed below, separately from Step 5. 7.53. The Commissioner has carefully considered Marriott’s submissions that there are other additional mitigating factors that should be taken into account i this case.!23 However, none of the points raised justify a further reduction of the appropriate penalty beyond the discount set out above. In particular: The Commissioner does not consider i appropriate to further reduce the penalty by reference to costs to Marriott of taking measures to rectify or mitigate the impact of its infringement, including the cost establishing a bespoke website, call centre, web monitoring, the enhancement of Marriott’s data subject rights programme, and any other customer-facing remediation activities. The fact that Marriott was required to expend a large amount - on Marriott’s assessment i excess of $50 million+ - i customer-facing remediation activities i not directly relevant to the amount of any penalty. The fact that mitigating measures were taken, i accordance with Marriott’s obligations as a controller, has already been taken into account. 122 Version 2.1, 13 July 2020. 123 Marriott’s First Representations, para 3.13(c). 124 Marriott’s First Representations, paras 3.4(a) and 3.13(c)(vi). 64 Marriott’s preparations for the introduction of GDPR are noted.!2° However, these do not address the Commissioner’s conclusions on Marriott’s failure to implement appropriate security measures i relation to the systems i acquired from Starwood. The Commissioner has recognised that the Attack involved persistent criminal activity.17© But this does not alter the fact that the security of Marriott’s network was inadequate i a number of respects, and that those failings could and should have been addressed on a prospective basis through the implementation of appropriate measures. I i Marriott’s breaches of Articles 5(1)(f) and 32 GDPR for which i i being penalised, not the actions of third parties. The security measures that were deployed on the Starwood security environment and on the Starwood Guest Reservation Database are noted.!?” However, the existence of these measures do not detract from the Commissioner’s conclusions on Marriott’s failure to implement appropriate security measures (see section 6). That Marriott took some steps to secure the Starwood system i not considered to be a mitigating factor i the circumstances of an infringement of this scale and severity. 7.54. Accordingly, having carefully considered the mitigating factors raised by Marriott, which are relevant to the assessment of the appropriate level of any penalty, the overall penalty payable by Marriott after Step 5 i £22.4 million. Application of Covid-19 Policy 7.55. As described above, having regard to the impact of the Covid-19 pandemic (on Marriott and more generally), and consistently with the Commissioner’s published guidance, a further reduction i appropriate and proportionate. The final penalty payable will therefore be reduced to £18.4 million. 125 As relied upon at paras 3.13(c)(iii) of Marriott’s First Representations. 126 Marriott’s First Representations, para 3.13(c)(iv). 127 Marriott’s First Representations, para 3.13(c)(i)-(ii). 65 Application of the fining tier(s) (Articles 83(4) and (5) GDPR) 7.56. The infringement of Article 5(1)(f) GDPR falls within Article 83(5)(a) GDPR, whereas Article 32 falls within Article 83(4)(a). The appropriate tier i therefore that imposed by Article 83(5)(a) as this i the gravest breach i issue i this case. 7.57. In any event, for the year ended 31 December 2017 Marriott has confirmed that its relevant worldwide annual turnover i $4.997 billion. The penalty the Commissioner has decided to impose on Marriott i the sum of £18.4 million. This i considerably less than 4%, indeed considerably less than 1%, of Marriott’s total worldwide annual turnover, and accordingly well within the cap imposed by Article 83(5) GDPR. Marriott’s other representations on the decision to impose a penalty and the appropriate Penalty amount 7.58. Marriott’s Representations contained detailed submissions i response to: (a) the Commissioner’s decision to impose a penalty at all; and (b) the proposed penalty amount, as indicated i the Notice of Intent. The Commissioner has carefully considered those submissions and, to the extent they have not been addressed above, responds to them below. 7.59. In summary, Marriott submitted as follows: a. First, the Commissioner misapplied Article 83(2) i deciding to impose a fine and in determining the appropriate level of penalty. A proper application of that Article should result i no fine being imposed at all or, i the alternative, i should result i the imposition of only a low level of penalty;!2° b. Second, the Commissioner unlawfully applied an unpublished internal document, entitled “Draft Internal Procedure for Setting and Issuing Monetary Penalties”, i setting the proposed penalty on Marriott which was included i the NOI.+29 However, setting a proposed penalty amount without the Draft 128 Marriott’s First Representations, Executive para 8 and Section 3; and Marriott’s Second Representations, Section 2. 129 Marriott’s First RepresentatExecutive Summary,para 9(a) and paras 4.2-4.12, 4.14(e), 4.19, 66 Internal Procedure (or similar), as the Commissioner did i the draft decision, also offends the principle of legal certainty.1*° c Third, the Commissioner erred by relying on turnover as the sole metric i determining the level of fine proposed i the NOI, and i continuing to treat turnover the most important factor i its quantification analysis i the draft decision;+3! d. Fourth, the Commissioner has applied the wrong fining Tier under Article 83 GDPR i calculating the proposed fine;+% e. Fifth, the Commissioner erred in the NOI by applying an uplift to ensure an appropriate deterrent effect; 17? f Sixth, the Commissioner breached Marriott’s legitimate expectation that she would operate her fining powers under the GDPR i accordance with past precedents, i.e. decisions made, under the DPA 1998 and/or only applying incremental increases to the fines that would have been imposed under the 1998 Act (which was subject to a £500,000 maximum fine limit).1*4 This same failure, which Marriott described as a failure to comply with the “Precedents-Based Approach”, i also said to amount to a breach of the principle of legal certainty.1*° In its Second Representations, i particular, Marriott contends that i the absence of any new guidance providing clear and specific quantification methodology determining how fines are to be calculated, any decision to issue a fine would breach that principle.17© In this regard Marriott also relies on a comparison with a case decided by the Financial Conduct Authority (the “FCA”) i respect of Tesco Bank.'?” I also relies on an alleged inconsistency between the penalty proposed i this case and those imposed through other decisions issued by the 130 Marriott’s Second Representations, Executive summary, para 1 and paras 1.1-1.5. 131 Marriott’s First RepresentatiExecutive Summary, para 9(b), and paras 4.14-4.15and Marriott’s SeconRepresentations, paras 1.35-1.38. 132 Marriott’s First Representations, Executive Summary, para 9(b), and paras 4.16-4.17. 133 Marriott’s First Representations, paras 4.24-4.30 134 Marriott’s First Representations, Executive Summary, para 9(c), and paras 4.36-4.41; Marriott’s 135 Marriott’s First RepresentatiExecutive Summary,d para 9(c), and paras 4.50-4.73and Marriott’s SeconRepresentationsExecutive Summary, para 1, and para 1.1. 136 Marriott’s Second Representations, Executive Summary, para 1 and paras 1.6-1.11. 137 Marriott’s First Representations, paras 4.3and Marriott’s SeconRepresentationsparas 1.26-1.27 67 Commissioner and by other European supervisory authorities.+#8 g. Seventh, the Commissioner has acted contrary to the RAP because she has failed to calculate the penalty proposed i the NOI and the draft decision i accordance with its terms;+79 and h. Eighth, the Commissioner proposed a penalty i the NOI which i disproportionate on its face NOI, and the revised penalty set out i the draft decision remains disproportionate.14° (1) Application of Article 83(2) 7.60. The Commissioner has described at paragraphs 7.3-7.53 how the factors listed i Article 83(2) apply to the facts of this case. In its Representations, Marriott criticised the Commissioner’s findings i this regard. Where necessary those criticisms have been addressed at each step of the analysis set out above and/or i Section 6 above. (2) Draft Internal Procedure 7.61. Prior to issuing the NOI i this case, the Commissioner had developed a Draft Internal Procedure for calculating proposed fines, as a supplement to the RAP. Its purpose was to provide an indicative guide, by reference to the turnover of the controller, as to the appropriate penalty. As the GDPR i a new regime, this additional tool was intended to assist the decision-makers i applying Article 83 GDPR and the RAP to the facts of a particular case. 7.62. Marriott made detailed submissions on this issue.‘4+ The Commissioner has considered those submissions i deciding how to approach the calculation of the penalty to be imposed i the draft decision, and ultimately i this Notice. 7.63. The Commissioner remains of the view that the controller’s turnover i a relevant consideration i determining the appropriate level of penalty (see below), but she has decided that the Draft Internal Procedure should not be used. Therefore, i deciding the appropriate 138 Marriott’s Second Representations, Executive Summary, para paras 1.12-1.19. 139 Marriott’First Representationsparas4.42-4.49; and Marriott’s SecondRepresentations, Executive Summary,para 2, and paras 1.32-1.34. 140 Marriott’s First RepresentatiExecutive Summary, para 9(d), and paras 4.74-4.77,and Executive Summary,para 1, and paras 1.39-1.41 of Marriott’s SRepresentations. 141 See paras 4.2-4.12 of Marriott’s First Representations and parag1.2-1.5 of Marriott’s Second Representations i particular. 68 penalty i this case the Commissioner has not relied on the Draft Internal Procedure (she did not rely upon i for the purposes of her draft decision, and the same approach was adopted i preparing this Penalty Notice). She has instead relied only on Article 83 GDPR, section 155 DPA and the RAP. The approach taken to the calculation of the penalty for the purposes of this Notice i set out above. 7.64. Marriott i wrong to assert that, but for its pressing for disclosure i correspondence, the Commissioner would not have disclosed the draft guidance document.!42 The policy was provided on 2 August 2019 i response to a request made i a letter from Marriott dated 24 July 2019. The NOI set out how the penalty was arrived at. The Commissioner also provided further information about how the penalty was calculated i her letter of 17 July 2019. The Commissioner i obliged to consult the controller on the NOI and she did so. Marriott took the opportunity to make detailed submissions, and the Commissioner has carefully considered all those submissions, and acted upon them to address the concerns raised. 7.65. Marriott’s First Representations also criticised the use of a percentage range as part of its process for calculating the proposed penalty (applying the Draft Internal Procedure) and/or the way i which the Commissioner applied the turnover bands at the NOI.147 As this approach has not been adopted i this Notice, nor has the Draft Internal Procedure been applied, the Commissioner does not respond to the individual points made by Marriot on the application of the Draft Internal Procedure further here. 7.66. In its Second Representations, Marriott states that whilst i welcomes the fact that the Draft Internal Procedure i no longer relied upon by the Commissioner, (a) the Commissioner cannot rely upon the £99.2m figure proposed in the NOI as a reference point when assessing the legality or proportionality of the present proposed penalty figure;!** (b) the RAP cannot constitute an adequate basis for the calculation of a penalty i circumstances where the Commissioner had previously devised the Draft Internal Procedure;!*° and (c) i the absence of the Draft Internal Procedure, there i a lack of clarity governing penalty calculation and 142 Marriott’s Representations, paras 4.2 and 4.8. 143 Marriott’s Representations, paras 4.19-4.23. 144 Marriott’s Second Representations, para 1.3. 145 Marriott’s Second Representations, para 1.4. 69 undermines legal certainty.!*© These points are not accepted for the following reasons. 7.67. First, the Commissioner does not seek to use the figure of £99.2m, as proposed i the NOI, as a “reference point” for the penalty set i the draft decision, or the present penalty. Rather, the Commissioner carried out a fresh calculation exercise having regard to the factors listed under Article 83 of the GDPR and the RAP. See further para 7.128 below. 7.68. Second, the Draft Internal Procedure was not developed to ‘cure’ any gap i legal certainty left by the RAP. I was intended to be a helpful supplement to the RAP for internal decision-making purposes. In deciding what level of penalty may (at the consultation stage) or i appropriate i this case, the Commissioner has always applied the approach set out i the RAP, and considered the factors under Article 83 GDPR. The fact that a document was created to provide supplemental detail to the RAP does not render the RAP so deficient so as to prevent a penalty being calculated i this case. Marriott’s submissions on legal certainty are addressed i more detail below. (3) The Commissioner’s reliance on Marriott’s turnover 7.69. Marriott advanced a number of criticisms of the Commissioner’s reliance on turnover i calculating her proposed penalty in its First and Second Representations (see, for example, para 4.14 of its First Representations). 7.70. First, Marriott submitted that the only metric the Commissioner used to calculate the penalty proposed i the NOI was turnover. This i incorrect. As i clear from the NOI itself, while turnover was used as a starting point in seeking to assess the appropriate penalty, a range of other relevant factors were considered i accordance with the RAP and the GDPR. In any event, the turnover-bandings set out i the Draft Internal Procedure has not been used i preparing this Notice. 7.71. Second, Marriott submitted that turnover cannot be regarded as a core metric i a case such as this where the wrongdoer has not profited from the breach. Marriot claimed that there i no logical relationship between the breach and the controller’s turnover. The 146 Marriott’s Second Representations, para 1.5. 70 Commissioner’s approach, Marriott said, simply punishes a controller for being a large undertaking. Marriott compares the penalty proposed i this case to the Commissioner’s decision regarding Doorstep Dispensaree Ltd, dated 20 December 2019, suggesting that this shows that the Commissioner i treating turnover, unjustifiably, as the most important factor.**’ 7.7/2. The Commissioner does not accept these arguments. She considers turnover to be a relevant consideration i determining the appropriate level of penalty i this case (as well as i other cases not involving a controller profiting from a breach), for the following reasons: a. A turnover-based approach i consistent with the approach taken to penalties i the GDPR. The Data Protection Directive did not prescribe the level of fines that Member State authorities should impose for data breaches. The GDPR departs from that approach. In doing so, i expresses the maximum penalty in terms of a percentage of turnover. Turnover i therefore a relevant factor i determining the appropriate level of penalty to be imposed. This i also reflected i the Recitals, which make clear that the economic position of the controller i relevant even where the controller i a private person and not an undertaking: “ Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine.” b. Further, and i any event, the Commissioner i obliged to ensure that any penalties imposed are “effective, proportionate and dissuasive”. Having regard to a data controller’s turnover complies with this principle by ensuring that the level of any penalty i not only proportionate, but i also likely to be an effective and dissuasive deterrent for the undertaking on which i i imposed, and other equivalent controllers. I i self-evident that imposing the same penalty on an undertaking with a turnover of billions of pounds as would be imposed on a small or medium sized business would not be effective, proportionate or dissuasive. Comparable regulatory regimes that share the GDPR’s emphasis on deterrence, such as under competition 147 Marriott’s Second Representations, paras 1.36-1.37. 71 law, also take turnover into account i i some form in setting penalties. c Marriott’s claim that the introduction of the maximum amount safeguard caps i Articles 83(4) and (5) does not mean that turnover can be treated as a relevant metric i incorrect, for the reasons articulated i points (a) and (b) above.!*° In particular, Marriott’s claim that treating turnover as a relevant metric “outside of disgorgement of profits cases is illogical and perverse”, does not withstand scrutiny. I i plain from the relevant provisions of the GDPR, read as a whole, that the economic position of a controller i one relevant factor i determining what penalty i appropriate on the particular facts of any case. The GDPR does not limit the relevance of turnover to cases involving disgorgement. d. As to the decision i Doorstep, the difference between the turnover of that controller and Marriott i obviously relevant. However, each case i considered on its individual facts. Marriott’s attempts to compare the number of records involved, and then scale up the appropriate level of fine (60 times the number of records, results i a maximum 60 times higher level of fine), are misconceived. See further paras 7.116-7.119 below. 7.73. Third, Marriott submitted that any penalty regime engages the fundamental rights of controllers, including their fundamental right to property as provided for under Article 1 of Protocol 1 of the European Convention on Human rights, and Article 17 of the EU Charter of Fundamental Rights.149 The Commissioner recognises that i imposing a penalty on a controller, she must comply with any relevant fundamental rights that are engaged, including under the ECHR or the EU Charter. However, i i not accepted that taking into account a controller’s turnover i determining the appropriate penalty i incompatible with those rights because i i arbitrary or results i grossly disproportionate levels of penalty (as Marriott contended at para 4.14(c) of its First Representations). I i an approach that complies with the regime established by the GDPR. 148 Marriott’s First Representations, para 4.14(d). 149 Marriott’s First Representations, para 4.14(c). 127.74. Fourth, Marriott contended that the turnover approach _ i inconsistent with the RAP.!°° This i incorrect. 7.75. As explained above, the calculation of the proposed penalty i the NOI was not exclusively based on turnover, contrary to Marriott’s claim. I took account of the various factors discussed i the RAP. This Notice addresses each step of the process of the RAP in turn to make even clearer that the penalty has been set i accordance with its terms. Turnover i relevant to establishing whether a penalty i appropriate, proportionate, effective and dissuasive i applying the steps set out in the RAP, as explained above. 7.76. Moreover, Marriott’s reliance in this regard on reference in the RAP to circumstances i which the Commissioner will convene an advisory panel i misplaced.1>! The RAP describes “very significant” penalties as those “expected to be those over the threshold of 1M” i that particular context, i.e. the context i which the Commissioner may convene an advisory panel. This was not intended to be - and i any event cannot objectively be read as giving - an indication to controllers of the likely penalty they may face i the event of a data breach, particularly in light of the provisions of GDPR. The section of the RAP setting out how penalties will be calculated does not refer to the concept of “very significant” penalties at all. 7.77. Consequently, the RAP’s discussion of when an advisory panel may be convened i no basis for saying that turnover i not a relevant factor i determining penalty. Marriott was also therefore wrong to claim in its Representations that: (a) the £1million figure referred to i the discussion of when an advisory panel may be appropriate should be the starting point for calculating fines i the most serious and significant cases before the Commissioner;1>* and (b) the Commissioner must justify imposing any fine above that threshold figure. This i a misreading of the RAP, see further below. 7.78. Firth, Marriott contended that what the Commissioner should have done i quantifying the appropriate penalty was to “(a) start with what an infringement of this nature is objectively worth in penalty terms having regard to its nature, gravity and duration, irrespective of the financial stature of the wrongdoer; then (b) add or take away 150 Marriott’s First Representations, para 4.14(f). 151 Page 26 of the RAP. See also para 4.46 of Marriott’s First Representations. 152 Marriott’s First Representations, para 4.46. 13 amounts to reflect respectively aggravating and mitigating factors; before moving at the final stage of the analysis to (c) the question of whether, in view of all the circumstances, some increase in the penalty is required to ensure a deterrent effect.”'>? 7.79. The Commissioner’s approach i set out above. She has considered each step of the RAP, and a of the factors listed i Article 83 GDPR, i order to arrive at the overall appropriate penalty. Given that the financial stature of the wrongdoer would need to be taken into account at least i considering whether an increase i fine would be necessary to secure a deterrent effect, i i not clear that adopting the alternative structure proposed by Marriott would make any material difference to the outcome. (4) The appropriate tier 7.80. In response to the NOI, Marriott submitted that the Commissioner had applied the wrong fining tier. I was said that the Commissioner incorrectly categorised the breaches i issue as a Tier 2 infringement, allowing for a maximum fine of 4% of turnover.!>4 This submission was based, i summary, on the following points: a. Article 5(1)(f) i simply a shorter, summary version, of the more detailed and specific obligation i Article 32. Article 32 GDPR therefore amounts to the /ex specialis of Article 5(1)(f) and should therefore take precedence. b. The maximum fine should be 2% in this case because: i Any ambiguity in the wording of a provision of law imposing a civil penalty should be resolved i favour of the controller. i |The wording of Article 83(4) makes clear that the intention was to impose this lower maximum cap for breaches of Article 32, which i the /ex specialis. 7.81. The Commissioner does not accept these submissions, for the following reasons. 153 Marriott’s First Representations, para 4.15. 154 Marriott’s First Representations, paras 4.16-4.17. 747.82. First, the GDPR addresses expressly what the appropriate maximum fine should be when a controller breaches the “basic principles of processing” under Article 5 GDPR. Article 5(1)(f), as one of the basic principles of processing, cannot be dismissed as simply a summary of a later new provision included i the GDPR. The EU legislature has made i clear that a higher penalty i appropriate where a controller i found to have breached the basic principles of processing that underpin the regime. Contrary to Marriott’s submissions, Article 83(5)(a) provides i clear i explicit and unambiguous terms that 4% i the appropriate cap for breaches of Article 5, including Article 5(1)(f). 7.83. Second, the GDPR also recognises that the same or linked processing operations may give rise to infringements of several provisions of that Regulation. I addresses this by making clear that the total amount of any penalty i to be the subject of the amount specified for the gravest infringement (see Article 83(3)). 7.84. Third, the principle of /ex specialis means that “where a legal issue falls within the ambit of a provision framed in general terms, but is also specifically addressed by another provision, the specific provision overrides the more general one.”!>> The Commissioner does not accept that the application of the /ex specialis principle precludes the Commissioner from treating this case as a Tier 2 infringement. 7.85. Article 5(1)(f) and Article 32 are evidently distinct provisions of the GDPR, notwithstanding the degree of overlap. Article 32 applies to processors, whilst Article 5 does not. Contrary to Marriott’s submission, there i no basis upon which to give Article 32 precedence over Article 5(1)(f). They can be applied to controllers at the same time: Article 32 does not override the basic requirements laid down in Article 5(1)(f), read with Article 5(2), which establish the responsibility of the controller for demonstrating compliance with the security obligation and any breach of that principle. 7.86. Further, and in any event, the provisions in Article 83(4) and Article 83(5) are distinct provisions which make explicit provision for 155 R (Hallam) v Secretary of State for Justice [202 at [144]. See also Case T-60/06 RENV I Italy v Commissio(2016), at [81]. 15 different fining tiers to apply to breaches of Articles 5 and 32 GDPR. I i clear that any infringement of Article 32 falls within the scope of Article 83(4) whilst an infringement of Article 5(1)(f) falls within the scope of Article 83(5). Article 83(4) i not more specific than Article 83(5). I i incapable of overriding or taking precedence over i Rather, any issue as to which maximum penalty applies i resolved by the application of Article 83(3) which states i terms that i these circumstances “the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.” The legislation itself provides the mechanism for addressing circumstances i which processing engages more than one obligation. 7.87. The Commissioner notes that her interpretation of Articles 83(4)-(5) i supported by the Article 29 Working Party’s Guidelines on the application and setting of administrative fines for the purposes of the GDPR, which states: Specific infringements are not given a specific price tag in the Regulation, only a cap (maximum amount). This can be indicative of a relative lower degree of gravity for a breach of obligations listed in article 83(4), compared with those set out in article 83(5). The effective, proportionate and dissuasive reaction to a breach of article 83(5) will however depend on the circumstances of the case... The occurrence of several different infringements committed together in any particular single case means that the supervisory authority is able to apply the administrative fines at a level which is effective, proportionate and dissuasive within the limit of the gravest infringement. Therefore, if an infringement of article 8 and article 12 has been discovered, then the supervisory authority may be able to apply the corrective measures as set out in article 83(5) which correspond to the category of the gravest infringement, namely article 12....1°° 7.88. Fourth, i any event, Marriott’s main objection to the use of the 4% maximum penalty appears to be its impact on the turnover-bands applied under the Draft Internal Procedure, which was applied i calculating the proposed fine included i the Notice of Intent. As this 156 Pages 9-10. 16 approach has not been adopted i determining the final level of penalty to be imposed by this Notice, the same concerns do not arise. I i noted that the final penalty imposed i well below the 2% cap, and so the application of that cap i reaching the final decision, as opposed to a 4% cap, would have made no difference. 7.89. Marriott also asserted i a single paragraph of its First Representations that the Commissioner’s approach to quantification i “wholly arbitrary”.'°’ This i not accepted, either as a criticism of the NOI or this Notice. I appears that this argument rested on Marriott’s contention that there are no clear and precise rules i place governing the setting of the penalty by the Commissioner. This claim i addressed below. (5) An uplift to ensure a deterrent effect 7.90. Marriott claimed that the proposal i the NOI to increase the proposed penalty for the infringement to 2.5% to ensure that i would have a sufficient deterrent effect was arbitrary and unlawful.1°° This i not accepted. The Commissioner i obliged to consider whether such an uplift should be made under the RAP and Article 83 GDPR. 7.91. Marriott's criticisms of the NOI in this regard relied heavily on its criticisms of the previous use made of the Draft Internal Procedure’s turnover-based approach i setting the proposed penalty at that stage.'°°? These points have been addressed above. I i however, important to note that para 61(d) of the NOI explained that i the light of the scale and severity of the infringement and factors discussed i para 61(a)-(c), a penalty of between 1.5 and 2% would be appropriate and proportionate. Para 61(f) then went on to consider what an appropriate uplift would be to ensure a deterrent effect, which was a separate issue that warranted individual consideration at a later stage of the analysis. These are separate steps under the RAP (see Section 2 above). I i therefore incorrect to assert, as Marriot did, that any uplift from the judged starting point means that the Commissioner: “is knowingly imposing a disproportionate penalty sum. °° 157 Marriott’s First Representations, para 4.18. 158 Marriott’s First Representations, para 4.24. 159 Marriott’s First Representations, paras 4.25-4.30. 160 Marriott’s First Representations, para 4.25. ae7.92. In any event, as set out above under Step 4, no additional amount has been added in this case for deterrent effect. (6) Legitimate Expectation and Legal Certainty The alleged legitimate expectation 7.93. In response to the NOI and draft decision, Marriott relied on selective quotes from public statements made by the Commissioner or her office about the new GDPR regime to contend that fines under the GDPR should be set i accordance with past precedents, i.e. decisions made under the DPA 1998.'6! What Marriott seeks, i effect, i for the Commissioner unilaterally to impose the previous domestic cap and approach to fines which applied i the UK prior to the harmonised regime under the GDPR. 7.94. Plainly i i not open to the Commissioner, as a matter of domestic or EU law, to adopt unilaterally an approach that would undermine the object and purpose of the new EU regime. 7.95. The GDPR, and consequently the DPA, represent a significant departure from the regime under DPA 1998 and the 1995 Directive. The GDPR was expressly intended to harmonise the rights of, and protections afforded to, data subjects across the EU. I differs markedly from the 1995 Directive, most obviously i that i introduces significantly higher and more effective penalties, with maximum penalties defined expressly by reference to turnover. The GDPR also imposes new obligations on controllers, including new organisational requirements such as the designation of a data protection officer and new provisions on the lawfulness of processing. The GDPR and the DPA have significantly changed the legal landscape i data protection and enforcement. 7.96. Marriott’s submissions are to the effect that public statements made by the Commissioner override these changes, and as such she i bound to apply i effect the DPA 1998 and/or only apply incremental increases to the level of fine that would have been issued under that Act. Public statements made by the Commissioner or her staff, which are i any event quoted selectively and/or taken out of their proper context by Marriott, are incapable of achieving this outcome. 161 Marriott’s First Representations, paras 4.37-4.41. See also Marriott’s First Representations, paras 4.65-4.66, see also Marriott’s SRepresentations, para 1.28-1.31. 187.97. More specifically, the public statements referred to by Marriott i its Representations were not intended to be - and cannot objectively be read as - assurances to any controller that the Commissioner would not use her powers on a case by case basis, to impose effective, proportionate and dissuasive penalties i appropriate cases. Marriott disputes this, however, the Commissioner maintains her position for the following reasons: a. Marriott refers to a blog post published by Elizabeth Denham on 9 August 2017.1 Whilst i i true that the post states that the Commissioner will not “simply scale up penalties” issued under the DPA 1998, i also states: “Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in the 21°* century world. We intend to use those powers proportionately and judiciously.” b. Marriott refers to a speech made by James Dipple-Johnstone at the Data Protection Practitioner’s Conference on 9 April 2018,/° however the quotation which Marriott selectively cited i preceded by a summary of the approach the Commissioner intended to take, including “we will look at each case on its own merits. We'll look at the features and context of each case. And, this is important, we will focus on area of greatest risk to people - potential or actual harm... The more serious, high impact, deliberate, wilful or repeated breaches can expect the most robust response.” 7.98. There i nothing within these quotations which can be read as giving rise to a legitimate expectation that the Commissioner would either: (a) issue fines i accordance with the previous maximum limit which applied under the DPA 1998 and/or past cases issued under that Act; or (b) only apply incremental increases to the level of fine that would have been imposed under the DPA 1998.16 As made clear i the blog and speech to which Marriott has referred, the Commissioner had always been clear that she would (in accordance with her obligations) use her full powers ona case by case basis, to 162 Marriott’s Second Representations, para 1.29(a). 163 Marriott’s Second Representations, para 1.29(b). 164 Marriott’s Second Representations, paras 1.30-1.31. 19 impose effective, proportionate and dissuasive penalties i appropriate cases, which includes the possibility of large fines. 7.99. Marriott accepted i its Second Representations that the Commissioner i not constrained by the previous statutory maximum of £500,000.'© But i practice, its attempt to limit the Commissioner to only making incremental increases to the fine level that would have applied under the DPA 1998 amounts to the same thing. The starting point i the application of Article 83 GDPR, the DPA 2018 and the RAP. I i not what the decision would have been under a superseded legal regime. The alleged lack of legal certainty 7.100. As set out above, the Commissioner recognises that i imposing a penalty on a controller, she must comply with any relevant fundamental rights that are engaged, including under the ECHR or the EU Charter. She does not accept, however, that the penalty regime applicable under, i particular, Article 83 GDPR lacks sufficient certainty such that i cannot be lawfully applied. That i i effect Marriott’s case. I contends that unless the Commissioner applies a precedents-based approach based on decisions made under the DPA 1998, i i impossible for the Commissioner to meet the requirement of legal certainty.1® 7.101. The DPA reflects the directly applicable EU law framework for determining penalties. The Commissioner does not agree with Marriott that Article 83 GDPR or section 155 DPA are so unclear that they are unlawful. Taken together, those provisions specify the circumstances i which a data protection authority has the power to impose an administrative penalty, and the matters that are relevant to that decision and the amount of any penalty. The legislative regime i supplemented by the RAP, which provides additional guidance i this regard. Contrary to para 4.60 of Marriott’s First Representations, the RAP cannot be dismissed as “unclear and open- ended”. 7.102. Marriott’s submissions on legal certainty are wrong for the following seven reasons. 165 Marriott’s Second Representations, para 1.30. 166 Marriott’s First Representations, paras 4.50-4.73. 807.103. First, in accordance with section 161 DPA 2018 the RAP was laid before Parliament for approval, and was duly approved. 7.104. In its Second Representations, Marriott emphasised the fact that Articles 83(8)-(9) and 70(1)(k) GDPR “directly envisage and expect” that the high-level principles set out i the legislation will be the subject of national or supranational guidance.!®” Pursuant to section 160 DPA, the Commissioner i obliged to issue guidance i respect of how she will determine the amount of penalties to be imposed. She has done so through the RAP. 7.105. Second, the RAP, which must be read alongside the DPA and, in particular, Article 83 GDPR, provides sufficient clarity and legal certainty, as required under the ECHR and EU law. In particular, the RAP explains that Step 2 intends to “censure” the breach, and this requires taking into consideration its scale (including the number of data subjects affected) and the severity of the breach itself, and expressly refers to the factors set out i the DPA. Examples of aggravating factors are set out i the RAP to assist with the interpretation of Step 3, as well as mitigating factors (to be considered at Step 5). Marriott’s argument appears to be that because i i possible for the RAP to be more detailed, i must follow that the RAP i insufficiently detailed to fulfil the requirements of legal certainty. That i not the case. 7.106. I i not suggested that i i impossible to produce more detailed quantification guidance.1®* The GDPR i a new regime. Whilst not necessary for the purposes of legal certainty, more detailed guidance may well be developed over time as the UK and EU Member States gain experience in applying i The Commissioner has committed to updating the guidance available i the future. However, the fact that there i potential for further development of the guidance does not mean that the present guidance i so unclear as to be unlawful. The RAP provides sufficient guidance as to the circumstances i which penalties, including large penalties, will be applied. 167 Marriott’s Second Representations, para 1.9. 168 Marriott’s Second Representations, para 1.10. 817.107. Third, i i neither necessary nor possible to produce a specific quantification framework which tells controllers precisely what level of fine they may face. 7.108. In para 1.9 of its Second Representations, Marriott claims that the Commissioner cannot lawfully impose penalties without setting out a further quantification methodology.'®? This i incorrect. The guidance available from Article 83 GDPR, the DPA and the RAP, cannot be rejected as legally uncertain purely on the basis that i does not attempt to specify exactly what levels of penalty might attach to wrongdoing.'”° 7.109. I would be impossible for the Commissioner to specify all the types of situations, and relevant circumstances, i which a penalty may be imposed under the GDPR. Nor could any guidance permit a controller to calculate specifically what any fine might be (especially by reference to a particular fine). The guidance must be general enough i order to cover a wide range of potential situations, and respect the general discretion of the Commission (subject to public law principles). The GDPR also requires the Commissioner to take a case-by-case approach, guided by the need to ensure that any penalty i effective, proportionate and dissuasive, and subject to the prescribed turnover caps. 7.110. Fourth, contrary to Marriott’s submissions,‘7! there i also no flaw i the Commissioner’s approach because, on the particular facts of this case, no adjustments needed to be made at certain steps i the process. The draft decision explained clearly, i particular, that: (a) the need to ensure the penalty i dissuasive was taken into account sufficiently under Step 2 such that there was no need for a further uplift reflecting the need for the penalty sum to deter others under Step 4;172 and (b) the mitigating factors had been taken into account under Step 2, so no adjustment was made at Step 5 to avoid ‘double-counting’. The fact that certain steps did not require adjustments to be made i a particular case particular case does not render the RAP, which i intended to be of general application, “deficient” .173 169 Marriott’s Second Representations, para 7.93. 170 Marriott’s Second Representations, paras 1.7-1.10. 171 Marriott’s Second Representations, para 1.34. 172 Marriott’s Second Representations, para 1.34. 173 Marriott’s Second Representations, para 1.10, see also para 1.34. 827.111. In any event, to assist Marriott, the Commissioner has dealt with the mitigating factors arising i this case under Step 5 of the analysis (rather than Step 2, see para 7.40 above) so that i can see the impact of these factors on the overall level of penalty. 7.112. Fifth, as explained at paragraph 7.68 above, the Draft Internal Procedure was not developed and i not relied upon for the purposes of meeting the legal certainty requirement, contrary to Marriott’s submissions during the course of the investigation.1’* While i was intended to be a helpful supplement to the RAP for internal decision- making purposes, i has been disregarded for the purposes of this Notice. 7.113. Sixth, for the reasons given above i respect of Marriott’s legitimate expectation argument, i i not open to the Commissioner to re- impose the different, UK-only, legislative cap on fines i the manner sought by Marriott. The bands which applied under the DPA 1998, and the decisions made under i cannot be relied upon as a justification for the Commissioner to fail to comply with EU law. 7.114. Finally, as to the claim made by Marriott that other bodies, namely the FCA and the EU Commission, apply more rigorous and more predictable rules, i i noted that each regulator must take enforcement action within the bounds of its own legal obligations, and i this case the Commissioner i bound to comply, i particular, with Article 83 of the GDPR.*7° Other decisions by the Commissioner / Decisions by other European authorities 7.115. Marriott submitted i its Representations that the proposed penalty i inconsistent with previous action by the Commissioner and other EU supervisory authorities, contrary to the stated aim of GDPR being to create a harmonised regime. ?’° In its Representations,’”” Marriott states that the proposed penalty i (a) inconsistent with action taken by other EU supervisory authorities, (b) contrary to the stated aim of the GDPR being a harmonised regime; and (c) inconsistent with 174 Marriott’s First Representations, para 4.61 and MarriotRepresentations, para 1.4. 175 The submissiomade at paras 1.20-1.25 of Marriott’s SRepresentations are noted. 1.12-1.19.tt’s First Representaparas 4.69-4.7and Marriott’s SeconRepresentationsparas 177 Marriott’s Second Representations, paras 1.14-1.19. 83 the decision taken by the Commissioner i a different case. Marriott specifically refers to the following cases: a. the decision by CNIL to impose a €50 million penalty on Google. Marriott contended that the infringements i Google’s case were more serious than those considered i this Notice. b. the Austrian Data Protection Authority against Osterreichische Post AG, which was fined €18 million; c a €2.6 million fine issued by the Bulgarian Commission of Personal Data Protection to the Bulgarian Revenue Agency i relation to a cyber-attack which affected over 5 million data subjects; d. a fine of €645,000 imposed on Morele.net by the Polish supervisory authority for a cyber-attack affecting over 2 million data subjects; e. a fine of €150,000 impose on Raiffeisen Bank by the Romanian supervisory authority concerning the misuse of customer data by employees of the bank; f the Romanian authority on UniCredit Bank SA. The company was fined of €130,000 for a breach of Article 25 GDPR due to the compromise of payment details, when its worldwide turnover for 2018 was of €18 billion; and g. the Commissioner’s decision regarding Doorstep Dispensaree Ltd, dated 20 December 2019. 7.116. The purpose of GDPR i as Marriott contends, to secure a harmonised regime. However, that harmonisation i achieved through the application of harmonised rules and standards to the particular facts of the case at issue. Any cross-border processing decision must then be subject to the Article 60 process. 7.117. The Commissioner, along with other EU supervisory authorities, must comply with her obligations under Article 83 and that means that she i required to impose a penalty which, i her own judgment, having regard to all the matters listed i Article 83, and on the facts of the individual case, i effective, proportionate, and dissuasive. In principle, ‘equivalent’ breaches should attach ‘equivalent’ penalties. 84 But i practice, each case will turn on its own particular facts. Whilst the Commissioner has considered the limited information available about the cases to which Marriott has referred, she maintains that simple comparisons of the penalties imposed i different cases do not show that the Commissioner has erred i applying Article 83 GDPR, DPA and/or the RAP. 7.118. There i a great degree of variation i the penalties imposed by supervisory authorities even i the context of the limited fines imposed to date,?”® which are - i the Commissioner’s view - indicative of a decision-making process that i fact-specific. I would be premature and not necessarily helpful to rely heavily at this juncture on a survey of the action taken by other supervisory authorities, given the relatively few decisions that have been taken under the new regime. This i particularly the case where there i limited public information available about the reasons for the decisions taken by other authorities. 7.119. In any event, as the Commissioner i acting as lead authority i this case, the way to ensure consistency i not by comparing the penalty to a selection of other penalties issued on different facts in the EU. Rather, the consistency mechanism provided for by Articles 60(4) and 63 GDPR will allow for all of the supervisory authorities concerned to cooperate with the Commissioner, make enquiries, and contribute their views i order to ensure the consistency of the ultimate penalty sum with penalties that have been ( there are any) and/or will be applied i similar situations. The Article 60 process i one of the factors which, as noted in Article 63, contributes to the consistent application of the GDPR and the Commissioner i entitled to rely on the process as a contributory factor. (7) Application of the RAP 7.120. In response to the NOI and/or the draft decision, Marriott submitted that the Commissioner had acted contrary to the RAP by: (a) failing to consider separately the appropriate fines for the provisionally found breaches of Articles 33 and 34 GDPR, from those i relation to Articles 5(1)(f) and 32 GDPR; (b) failing to adopt the starting 178 Notably the decision of the FrSA, the CNIL, to fine Goog50 million EuroSee also https://www.enforcementtracker.cowhich suggests there i significant variation i the level of fines that have been imposed to date, ranging from a few thousand to millions of pounds. 85 point that any penalty of over £1 million i reserved for very significant cases; and/or (c) failing to correctly apply the factors that the RAP categorises as determining whether a higher penalty can be imposed.+79 7.121. As to the first issue, the Commissioner has not included in her final decision a finding that Marriott breached Article 33 or 34 GDPR. Thus, this issue no longer arises. 7.122. The second issue i based on a misreading of the RAP. Marriott misunderstood the discussion of the circumstances i which she may convene an advisory panel. This point has been addressed above at paras 7.76-7.77. 7.123. In response to the draft decision, Marriott submitted that the Commissioner i seeking to “reinterpret” the wording of page 26 of the RAP i this regard. That i incorrect. The section of the RAP which addresses specifically the setting of a penalty does not refer to this concept of “very significant” penalties at all. This language i used only to describe the types of situations i which the Commissioner may convene an advisory panel.!®° 7.124. Marriott also submitted that the fact that: “the ICO appears to have determined that this case is not significant enough to merit convening the panel, which is entirely inconsistent with the fine imposed and further demonstrates the arbitrariness of this process.” 181 This submission i unfounded. The Commissioner has discretion over whether to convene a panel. The reasons why a panel was not convened i this case was explained i correspondence, i.e. this decision would be subject to the Article 60 consultation process. In such circumstances, the panel was unnecessary. I does not imply that this case lacks significance. For the reasons outlined above, this case has been found to involve significant breaches of the GDPR. 7.125. The third issue was also based on a misinterpretation or misapplication of the RAP. Contrary to Marriott’s submissions, ! ®2 the RAP does not set out at page 27 the only categories of cases i which i i justifiable for the Commissioner to impose a high penalty. The 179 Marriott’s First Representaparas 4.42-4.49and Marriott’s SecoRepresentationsparas 1.32-1.34. 180 Page 26 of the RAP. 181 Marriott’s Second Representations, para 1.33. 182 Marriott’s Second Representations, para 1.32. 86 examples provided are not to be applied as a list of criteria which must be met i any case before a penalty exceeding £1 million can be imposed. They provide a general indication of the circumstances i which a penalty will be higher. The Commissioner i not therefore departing from guidance i a manner which has to be justified. This Penalty Notice explains why the fine set i appropriate. 7.126. The GDPR was enacted i 2016 and came into force two years later. Data controllers, especially global undertakings of the size of Marriott, would have been fully aware of the maximum penalties permitted by GDPR. The reference to the sum of £1 million i the RAP does no more than describe the circumstances i which the Commissioner may decide to convene an advisory panel, and page 27 of the RAP cannot be relied upon to confine the Commissioner’s power to impose penalties i the manner sought by Marriott. The decision as to whether a penalty should be imposed and at what level, i order to provide an effective, proportionate and dissuasive result has to be reached through the application of Article 83(2) GDPR and section 155 DPA 2018. It i clear from the RAP that the Commissioner will adopt a case-specific approach, taking into account all relevant considerations. That i the approach taken i this case. (8) Proportionality 7.127. Marriott contends that the proposed penalty set out i the NOI was disproportionate on its face.18? This argument i not accepted i respect of the provisional penalty that was proposed i the light of the information available at that time. 7.128. I i also not accepted that the penalty proposed i the draft decision was also disproportionate. That proposed penalty took account of and reflected the submissions made by Marriott i response to the NOI. Marriott criticised the approach taken i the draft decision on the basis that the claim that the fine proposed was proportionate rested inappropriately on a comparison with the level of penalty set out i the NOI1®*, That was not the approach taken. Section 7 of the draft decision explained clearly the basis upon which, at that time, the proposed penalty was proportionate. In any event, this Penalty Notice explains i clear terms why the level of final penalty imposed 183 Marriott’s First Representations, paras 4.74-4.77 and Second Representations, para 1.8. 184 Marriott’s Second Representations, paras 1.8 and 1.40. 87 i proportionate i the light of the findings reached by the Commissioner (see paragraphs 7.3-7.57 above). 7.129. The mathematical error made at para 5.43 of the draft decision i noted.?8° No such error i made at para 7.57 above. 8. HOW THE PENALTY IS TO BE PAID 8.1. The penalty must be paid to the Commissioner’s office by BACS transfer or cheque. 8.2. The penalty i not kept by the Commissioner but will be paid into the Consolidated Fund which i the Government’s general bank account at the Bank of England. 9. ENFORCEMENT POWERS 9.1. The Commissioner will not take action to enforce a penalty unless: e all or any of the penalty has not been paid; e all relevant appeals against the penalty notice and any variation of i have either been decided or withdrawn; and e the period for appealing against the penalty and any variation of i has expired. 9.2. In England, Wales and Northern Ireland, the penalty i recoverable by Order of the County Court or the High Court. In Scotland, the penalty can be enforced i the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom i Scotland. 185 Marriott’s Second Representations, para 1.41. 88Dated the 30° day of October 2020 Elizabeth Denham Information Commissioner Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 89 ANNEX 1 RIGHTS OF APPEAL AGAINST DECISIONS OF THE C O M M I S S I O N E R 1. Section 162(1) of the Data Protection Act 2018 gives any person upon whom a penalty notice has been served a right of appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) against the notice. 2. I you decide to appeal and i the Tribunal considers:- a) that the notice against which the appeal i brought i not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: General Regulatory Chamber HM Courts & Tribunals Service PO Box 9300 Leicester LE1 8DJ a) The notice of appeal should be sent so i i received by the Tribunal within 28 days of the date of the notice. b) I your notice of appeal i late the Tribunal will not admit i unless the Tribunal has extended the time for complying with this rule. 90The notice of appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; C) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f the grounds on which you rely; g) you must provide with the notice of appeal a copy of the penalty notice or variation notice; h) i you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time and the reason why the notice of appeal was not provided i time. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. The statutory provisions concerning appeals to the First-tier Tribunal (General Regulatory Chamber) are contained i sections 162 and 163 of, and Schedule 16 to, the Data Protection Act 2018, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)). 91