ICO - Monetary Penalty on Marriott International Inc.

ICO - Monetary Penalty on Marriott International Inc.

Authority:	ICO (UK)
Jurisdiction:	United Kingdom
Relevant Law:	Article 5(1)(f) GDPR Article 32 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	30.09.2020
Published:	30.10.2020
Fine:	18400000 GBP
Parties:	n/a
National Case Number/Name:	Monetary Penalty on Marriott International Inc.
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	English
Original Source:	Information Commissioner's Office (in EN)
Initial Contributor:	Edda Pernice

The Information Commissioner’s Officer (ICO) imposed a fine of € 20.7 million on Marriott International Inc (“Marriott”) for failing to ensure appropriate security when processing its costumers’ personal data, thus violating Article 5(1)(f) and Article 32 GDPR.

Investigations began following notification of an attack on Marriott’s IT systems that took place over a period of time that includes May 2018 (when the GDPR came into force) to September 2018 . As a result, the attacker(s) had access to vast amounts of costumers’ personal data: Marriot estimated that they accessed 339 million guest records, with 30.1 million being EEA members’ records and 7 million being associated with the UK.

English Summary

Facts

Starwood Hotels and Resorts Worldwide Inc’s (“Starwood”) IT system were first compromised by unknown attackers in 2014. Marriot subsequently acquired Starwood in 2016, but did not detect this attack at any time between that moment and September 2018. Therefore, between 2014 and 2018, the attackers had access to Starwood’s systems through use of Remote Access Trojan malware, and kept extracting Starwood databases. Marriott became aware of potential attacks following an alert from a system applied to one of its most confidential databases on September 2018. After that Marriot found malware installed and proof that databases had been extracted over the years, so they promptly notified both the ICO and relevant data subjects of the breach. The ICO found that the attackers had obtained unencrypted personal data of the likes of: passport numbers, identifying information of the costumers such as name, date of birth and gender, plus credit card details in encrypted form.

Dispute

Holding

Although the ICO and the relevant victims were notified promptly of the breach, the ICO found that there were many failures in placing the technical and organizational measures to safeguard personal data in Marriott’s system as required under Article 5(1)(f) and Article 32 GDPR. Marriott’s shortcomings, as outlined by the ICO, were the following: insufficient monitoring of privileged accounts and their user activity, insufficient monitoring of databases, poor control of critical systems and systems that have access to large amounts of personal data, and the fact that only certain type of sensitive data was encrypted (e.g. credit card numbers) but not all (e.g. many passport numbers). The ICO fined Marriott in line of Article 83 GDPR but also took into account mitigating factors such as the efforts that Marriott made to inform and help the victims of the breach, the $19 million investment it made on security the following year and the financial impacts of the Covid-19 pandemic, lowering the final amount of the fine from £24 million to £18.4 million.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Information Commissioner's Office

PENALTY NOTICE

Section 155, Data protection Act 2018

Case ref: COM0804337
Ma10400 Fernwood Roadl Inc
Bethesda
M DUSA0 8 1 7

30 October 20201 INTRODUCTION & SUMMARY

1.1. This Penalty Notice i given to Marriott International Inc
(“Marriott”) pursuant to section 155 and Schedule 16 of the Data

Protection Act 2018 (the “DPA”). I relates to infringements of the
General Data Protection Regulation (the “GDPR”), which came to

the attention of the Information Commissioner (“the
Commissioner”) as a result of an attack on Marriott’s IT systems?

that took place over a period that included 25 May 2018 to 17
September 2018 (the “Attack”).

1.2. Insummary, i 2014 the IT systems of Starwood Hotels and Resorts

Worldwide Inc (“Starwood”) were compromised by an unknown
attacker or attackers (referred to, for ease of reference, as “the

Attacker”), utilising an unknown attack vector. In 2016, Marriott
acquired Starwood. Marriott did not detect the Attack at any time
between acquiring Starwood and September 2018, including i the

period after the entry into force of the GDPR i May 2018. During
this latter period, the Attacker continued to traverse through the

Starwood systems and had gained access to the cardholder data
environment within the Starwood network. This access allowed the

Attacker to export the personal data of Starwood customers to
“dmp” files on the Starwood systems, potentially with a view to
taking a copy of that data. I was only when the Attacker triggered

an alert i relation to a table containing cardholder data that the
Attack was discovered and could be mitigated. The personal data of

a large number of individuals was involved in the Attack, including
cardholder data, although the Commissioner has not seen any
evidence of financial harm to individuals. Following the alert,

Marriott promptly informed affected data subjects and took
immediate steps to mitigate the effects of the Attack and to protect

the interests of data subjects by implementing remedial measures.

1.3. Marriott i an _ international hotel chain, with operational
headquarters i the USA. The provisions of the DPA and the GDPR

apply to the processing of personal data by Marriot by virtue of

1 References i this decision to Marriott’s systems / network / security etc. concern the IT systems
etc. that Marriott acquired from Stai September2016 and retained and continued to use
post-acquisition. section 207(2) DPA and Article 3(1) GDPR. Marriott has confirmed
that Marriott Hotels Limited i Marriott’s main establishment within

the EU, as defined i Article 4(16) GDPR.

1.4. The data subjects affected by this breach were customers of

Starwood, which was at the relevant time owned by Marriott, i the
United Kingdom, elsewhere in the EU, and in the rest of the world.

1.5. Marriott was the controller i respect of the personal data of its

customers within the meaning of section 6 DPA and Article 4(7)
GDPR, as i determined the purposes and means of the processing

of the personal data. By inter alia collecting, recording, organising,
structuring and storing the personal data of its customers, Marriott
was processing that data within the meaning of section 3(4) DPA

and Article 4(2) GDPR.

1.6. Marriott has not admitted liability for breach of the GDPR. However,

for the reasons set out i this Penalty Notice, the Commissioner has
found that Marriott failed to process personal data i a manner that
ensured appropriate security of the personal data, including

protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical

and organisational measures, as required by Article 5(1)(f) and
Article 32 GDPR.

1.7. The Commissioner has found that, in all the circumstances, and

having regard, i particular, to Marriott’s representations and the
matters listed i Article 83(1) and (2) GDPR, the infringements
constitute a serious failure to comply with the GDPR and,

accordingly, that the imposition of a penalty i appropriate. The
amount of the penalty that the Commissioner has decided to

impose, having taken into account a range of mitigating factors set
out further below and the impact of the Covid-19 pandemic, i £18.4
million.

1.8. Pursuant to Article 56 GDPR, the Commissioner i acting as lead
supervisory authority i respect of the cross-border processing at

issue i this case.2.LEGAL FRAMEWORK

GDPR

2.1. On 25 May 2018, the GDPR entered into force, replacing the
previous EU law data protection regime that applied under Directive

95/46/EC (“Data Protection Directive”)*?. The GDPR seeks to
harmonise the protection of fundamental rights i respect of

personal data across EU Member States and, unlike the Data
Protection Directive, i directly applicable i every Member State.?

2.2. The GDPR was developed and enacted i the context of challenges

to the protection of personal data posed by, i particular:

a. the substantial increase i cross-border flows of personal data

resulting from the functioning of the internal market;*+ and

b. the rapid technological developments which have occurred

during a period of globalisation.> As Recital (6) explains: “.. The
scale of the collection and sharing of personal data has

increased significantly. Technology allows’ both private
companies and public authorities to make use of personal data

on an unprecedented scale in order to pursue their activities....”

2.3. Such developments made i necessary for “a strong and more

coherent data protection framework in the Union, backed by strong
enforcement, given the importance of creating the trust that will

allow the digital economy to develop across the internal market...”.®

2.4. Against that background, the GDPR imposed more stringent duties
on controllers and significantly increased the penalties that could be

imposed for a breach of the obligations imposed on controllers
(amongst others).’

2 Directiv95/46/EC of theEuropean Parliamentand of theCouncil of 24October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
3 Recital 3.
4 Recital 5.
§ Recital 7.
7 See, i particular, Recitals 11, 148, 150, and Article 5, Chapter IV and Article 83. The relevant obligations

2.5. Chapter 1 GDPR sets out the general provisions. Article 5 of Chapter

I GDPR sets out the principles relating to the processing of personal
data. Article 5(1) lists the six basic principles that controllers must
comply with i processing personal data, including:

1. Personal data shall be:

..(f) processed in a manner that ensures appropriate security
of the personal data, including protection § against

unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or
organisational measures (‘integrity and confidentiality’)

2.6. Article 5(2) GDPR makes i clear that the “contro/ler shall be

responsible for, and be able to demonstrate compliance with,
paragraph 1 (‘accountability’)”.

2.7. Chapter IV, Section 1 addresses the general obligations of

controllers and processors. Article 24 sets out the responsibility of
controllers for taking appropriate steps to ensure and be able to

demonstrate that processing i compatible with the GDPR. Articles
28-29 make separate provision for the processing of data by
processors, under the instructions of the controller.

2.8. Chapter IV, Section 2 addresses security of personal data. Article 32
GDPR provides:

1. Taking into account the state of the art, the costs of
implementation and the nature, scope, context and purposes
of processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons, the
controller and the processor shall implement appropriate

technical and organisational measures to ensure a level of
security appropriate to the risk, including inter alia as
appropriate:

(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality,

integrity, availability and resilience of processing
systems and services;
(C)...
(d)a process for regularly testing, assessing and

evaluating the effectiveness of technical and
organisational measures for ensuring the security of
processing.

2. In assessing the appropriate level of security, account shall
be taken in particular of the risks that are presented by
processing, in particular from accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or

access to, personal data transmitted, stored or otherwise
processed.

2.9, Article 32 GDPR applies to both controllers and processors.

Penalties

2.10. Article 83(1) GDPR requires supervisory authorities to ensure that

any penalty imposed i each individual case i “effective,
proportionate and dissuasive".

2.11. The principle that penalties ought to be effective, proportionate and
dissuasive i a longstanding principle of EU law. The Commissioner

i under an EU law obligation to ensure that infringements of the
GDPR are penalised i a manner that i effective, proportionate and
dissuasive.

2.12. Further, Recital 148 emphasises, inter alia, that “in order to
strengthen the enforcement of the rules of this Regulation, penalties

including administrative fines should be imposed for any
infringement of this Regulation, in addition to, or instead of
appropriate measures imposed by the supervisory authority

pursuant to this Regulation.” I also records that due regard should
be given to the:

. nature, gravity and duration of the infringement, the
intentional character of the infringement, actions taken to
mitigate the damage suffered, degree of responsibility or any
relevant previous infringements, the manner in which the

infringement became known to the supervisory authority,
compliance with measures ordered against the controller or
processor, adherence to a code of conduct and any other
aggravating or mitigating factor...

2.13. Recital 150 provides as follows:

In order to strengthen and harmonise administrative
penalties for infringements of this Regulation, each
supervisory authority should have the power to impose
administrative fines. This Regulation should indicate
infringements and the upper limit and criteria for setting the
related administrative fines, which should be determined by

the competent supervisory authority in each individual case,
taking into account all relevant circumstances of the specific
situation, with due regard in particular to the nature, gravity
and duration of the infringement and of its consequences and

the measures taken to ensure compliance with the obligations
under this Regulation and to prevent or mitigate the
consequences of the infringement. Where administrative
fines are imposed on an undertaking, an undertaking should
be understood to be an undertaking in accordance with

Articles 101 and 102 TFEU for those purposes. Where
administrative fines are imposed on persons that are not an
undertaking, the supervisory authority should take account of
the general level of income in the Member State as well as
the economic situation of the person in considering the

appropriate amount of the fine. The consistency mechanism
may also be used to promote a consistent application of
administrative fines. It should be for the Member States to
determine whether and to which extent public authorities
should be subject to administrative fines. Imposing an

administrative fine or giving a warning does not affect the
application of other powers of the supervisory authorities or
of other penalties under this Regulation.

2.14. In line with the above, when deciding whether to impose a fine and

the appropriate amount of any such fine, Article 83(2) GDPR
requires the Commissioner to have regard to the following matters:

(a) the nature, gravity and duration of the infringement
taking into account the nature scope or purpose of the
processing concerned as well as the number of data
subjects affected and the level of damage suffered by
them;

(b) the intentional or negligent character of the infringement;

(c) any action taken by the controller or processor to mitigate

the damage suffered by data subjects;

(d) the degree of responsibility of the controller or processor,
taking into account technical and organisational measures
implemented by them pursuant to Articles 25 and 32;

(e) any relevant previous infringements by the controller or
processor;

(f) the degree of co-operation with the supervisory authority,
in order to remedy the infringement and mitigate the
possible adverse effects of the infringement;

(g)the categories of personal data affected by the
infringement;

(h) the manner in which the infringement became known to
the supervisory authority, including whether, and if so to
what extent, the controller or processor notified the

supervisory authority of the infringement;

(i) where measures referred to in Article 58(2) have
previously been ordered against the controller or

processor concerned with regard to the same subject-
matter, compliance with those measures;

( adherence to approved codes of conduct pursuant to

Article 40 or approved certification mechanisms pursuant
to Article 42; and

(k) any other aggravating or mitigating factor applicable to

the case, including financial benefits gained, or losses
avoided, directly or indirectly from the infringement. ®

2.15. Article 83(5) GDPR provides that infringements of the basic

principles for processing imposed pursuant to Article 5 GDPR will, i
accordance with Article 83(2) GDPR, be subject to administrative

fines of up to €20 million or, i the case of an undertaking, up to
4% of its total worldwide annual turnover of the preceding financial
year, whichever i higher.

2.16. Article 83(4) GDPR provides, inter alia, that infringements of the
obligations imposed by Article 32 GDPR on the controller and

processer will, i accordance with Article 83(2) GDPR, be subject to
administrative fines of up to €10 million or, i the case of an

8 See also the Article 29 Data Protection WParty Guidelines on the application and setting of
administrative fines for the purposes of Regulation 2016/679, adopted on 3 October 2017, endorsed
by the European Data ProtectionBoard at its first plensession.These providea high-level
overview of the assessment criteria set out i Article 83(2) GDPR i Section ITI (“the Article 29 WP
Guidelines”.
8 undertaking, up to 2% of its total worldwide annual turnover of the

preceding financial year, whichever i higher.

2.17. Article 83(3) GDPR addresses the circumstances i which the same
or linked processing operations give rise to infringements of several

provisions of the GDPR. I provides that “.. the total amount of the
administrative fine shall not exceed the amount specified for the

gravest infringement”.

2.18. Article 83(8) GDPR provides that the exercise by any supervisory
authority of its powers to fine undertakings will be subject to

procedural safeguards, including an effective judicial remedy and
due process.

Cooperation and consistency

2.19. Where, as here, the processing i issue i cross-border, Article 56
GDPR makes provision for the designation of a lead supervisory

authority. In this case, the Commissioner i acting as the lead
supervisory authority. Chapter VII GDPR establishes the regime for
ensuring cooperation between lead and other concerned supervisory

authorities, permitting unified decision-making.?

2.20. Article 60 GDPR provides:

1. The lead supervisory authority shall cooperate with the
other supervisory authorities concerned in accordance with
this Article in an endeavour to reach consensus. The lead
supervisory authority and the supervisory authorities

concerned shall exchange all relevant information with each
other.

2. The lead supervisory authority may request at any time
other supervisory authorities concerned to provide mutual

assistance pursuant to Article 61 and may conduct joint
operations pursuant to Article 62, in particular for carrying
out investigations or for monitoring the implementation of a
measure concerning a controller or processor established in
another Member State.

3. The lead supervisory authority shall, without delay,
communicate the relevant information on the matter to the
other supervisory authorities concerned. It shall without

° The relevant provisions enacting this regime must be read subject to, i particular, Articles 7, 70
and 127-128 and 131 of the Withdrawal Agreebetween the EU and United Kingdom.
9delay submit a draft decision to the other supervisory
authorities concerned for their opinion and take due account

of their views.

4. Where any of the other supervisory authorities concerned
within a period of four weeks after having been consulted in
accordance with paragraph 3 of this Article, expresses a

relevant and reasoned objection to the draft decision, the lead
supervisory authority shall, if i does not follow the relevant
and reasoned objection or is of the opinion that the objection
is not relevant or reasoned, submit the matter to the
consistency mechanism referred to in Article 63.

5. Where the lead supervisory authority intends to follow the
relevant and reasoned objection made, i shall submit to the
other supervisory authorities concerned a revised draft
decision for their opinion. That revised draft decision shall be

subject to the procedure referred to in paragraph 4 within a
period of two weeks.

6. Where none of the other supervisory authorities concerned
has objected to the draft decision submitted by the lead

supervisory authority within the period referred to in
paragraphs 4 and 5, the lead supervisory authority and the
supervisory authorities concerned shall be deemed to be in
agreement with that draft decision and shall be bound by i

7. The lead supervisory authority shall adopt and notify the

decision to the main establishment or single establishment of
the controller or processor, as the case may be and inform
the other supervisory authorities concerned and the Board of
the decision in question, including a summary of the relevant

facts and grounds. The supervisory authority with which a
complaint has been lodged shall inform the complainant on
the decision.

8. By derogation from paragraph 7, where a complaint is

dismissed or rejected, the supervisory authority with which
the complaint was lodged shall adopt the decision and notify
i to the complainant and shall inform the controller thereof.

9. Where the lead supervisory authority and the supervisory
authorities concerned agree to dismiss or reject parts of a

complaint and to act on other parts of that complaint, a
separate decision shall be adopted for each of those parts of
the matter. The lead supervisory authority shall adopt the
decision for the part concerning actions in relation to the

10 controller, shall notify i to the main establishment or single
establishment of the controller or processor on the territory
of its Member State and shall inform the complainant thereof,

while the supervisory authority of the complainant shall adopt
the decision for the part concerning dismissal or rejection of
that complaint, and shall notify i to that complainant and
shall inform the controller or processor thereof.

10. After being notified of the decision of the lead supervisory

authority pursuant to paragraphs 7 and 9, the controller or
processor shall take the necessary measures to ensure
compliance with the decision as regards processing activities
in the context of all its establishments in the Union. The

controller or processor shall notify the measures taken for
complying with the decision to the lead supervisory authority,
which shall inform the other supervisory authorities
concerned. .

2.21. Article 60(4) refers to the consistency mechanism, which i i

Section 2 of Chapter VII GDPR. Article 63 provides that: “In order
to contribute to the consistent application of this Regulation

throughout the Union, the supervisory authorities shall cooperate
with each other and, where relevant, with the Commission, through
the consistency mechanism as set out in this Section.” Article 65

GDPR provides, insofar as relevant, that:

Dispute resolution by the Board

1. In order to ensure the correct and consistent application of

this Regulation in individual cases, the Board shall adopt a
binding decision in the following cases:

(a) where, in a case referred to in Article 60(4), a
supervisory authority concerned has raised a relevant
and reasoned objection to a draft decision of the lead

authority or the lead authority has rejected such an
objection as being not relevant or reasoned. The
binding decision shall concern all the matters which are
the subject

2. The decision referred to in paragraph 1 shall be adopted
within one month from the referral of the subject-matter by
a two-thirds majority of the members of the Board. That
period may be extended by a further month on account of the
complexity of the subject-matter. The decision referred to in

paragraph 1 shall be reasoned and addressed to the lead

11 supervisory authority and all the supervisory authorities
concerned and binding on them.

3. Where the Board has been unable to adopt a decision

within the periods referred to in paragraph 2, i shall adopt
its decision within two weeks following the expiration of the
second month referred to in paragraph 2 by a simple majority
of the members of the Board. Where the members of the

Board are split, the decision shall by adopted by the vote of
its Chair.

4, The supervisory authorities concerned shall not adopt a
decision on the subject matter submitted to the Board under
paragraph 1 during the periods referred to in paragraphs 2

and 3.

5. The Chair of the Board shall notify, without undue delay,
the decision referred to in paragraph 1 to the supervisory
authorities concerned. It shall inform the Commission
thereof. The decision shall be published on the website of the

Board without delay after the supervisory authority has
notified the final decision referred to in paragraph 6.

6. The lead supervisory authority or, as the case may be, the
supervisory authority with which the complaint has been
lodged shall adopt its final decision on the basis of the

decision referred to in paragraph 1 of this Article, without
undue delay and at the latest by one month after the Board
has notified its decision. The lead supervisory authority or, as
the case may be, the supervisory authority with which the

complaint has been lodged, shall inform the Board of the date
when its final decision is notified respectively to the controller
or the processor and to the data subject. The final decision of
the supervisory authorities concerned shall be adopted under
the terms of Article 60(7), (8) and (9). The final decision shall

refer to the decision referred to in paragraph 1 of this Article
and shall specify that the decision referred to in that
paragraph will be published on the website of the Board in
accordance with paragraph 5 of this Article. The final decision
shall attach the decision referred to in paragraph 1 of this

Article.

DPA

The Commissioner

2.23. Section 115 DPA establishes that the Commissioner i the UK’s
supervisory authority for the purposes of the GDPR. Section 115 DPA

12 provides, inter alia, that the Commissioner’s powers under Articles
58(2)(i) (the power to impose administrative fines) and 83 GDPR

are exercisable only by giving a penalty notice under section 155
DPA.

Penalties

2.24. Section 155(1) DPA provides that, i the Commissioner i satisfied
that a person has failed or i failing as described i section 149(2)
DPA, the Commissioner may, by written notice (a “penalty notice”),

require the person to pay to the Commissioner an amount i sterling
specified i the notice.

2.25. Section 149(2) DPA provides:

(1) The first type of failure is where a controller or processor
has failed, or is failing, to comply with any of the following -

(a) a provision of Chapter II of the GDPR or Chapter 2 of

Part 3 or Chapter 2 of Part 4 of this Act (principles of
processing);
(b) .

(c) a provision of Articles 25 to 39 of the GDPR or section
64 or 65 of this Act (obligations of controllers and
processors)...

2.26. Section 155 DPA sets out the matters to which the Commissioner

must have regard when deciding whether to issue a penalty notice
and when determining the amount of the penalty.

2.27. Section 155(2) DPA provides that, subject to subsection (4), when

deciding whether to give a penalty notice to a person and
determining the amount of the penalty, the Commissioner must

have regard to the matters listed i Article 83(1) and (2) GDPR.

2.28. Schedule 16 includes provisions relevant to the imposition of
penalties. Paragraph 2 makes provision for the issuing of notices of

intent to impose a penalty, as follows:

(1) Before giving a person a penalty notice, the Commissioner
must, by written notice (a “notice of intent”) inform the

person that the Commissioner intends to give a penalty
notice.

13 (2) The Commissioner may not give a penalty notice to a
person in reliance on a notice of intent after the end of the

period of 6 months beginning when the notice of intent is
given, subject to sub-paragraph (3).

(3) The period for giving a penalty notice to a person may be
extended by agreement between the Commissioner and the

person.

2.29. Paragraph 5 sets out the required contents of a penalty notice, i
accordance with which this Penalty Notice has been prepared.

Guidance

2.30. Section 160 DPA requires the Commissioner to produce and publish
guidance about how she intends to exercise her functions. With
respect to penalty notices, such guidance i required to include:

(a) provision about the circumstances in which the
Commissioner would consider i appropriate to issue a penalty
notice;

(b) provision about the circumstances in which the
Commissioner would consider i appropriate to allow a person
to make oral representations about the Commissioner's
intention to give the person a penalty notice;

(c) provision explaining how the Commissioner — will

determine the amount of penalties;

(d) provision about how the Commissioner will determine
how to proceed if a person does not comply with a penalty
notice.

2.31. Pursuant to section 161 DPA, the Commissioner's first guidance
documents issued under section 160(1) DPA had to be consulted

upon and laid before Parliament by the Secretary of State i
accordance with the procedure set out i that section. Thereafter, i
issuing any altered or replacement guidance, the Commissioner

required to consult the Secretary of State and such other persons
as she considers appropriate. The Commissioner must also arrange

for such guidance to be laid before Parliament.

14The Commissioner’s Regulatory Action Policy

2.32. On 4 May 2018, the Commissioner opened a consultation process
on how the Commissioner planned to discharge her regulatory
powers under the DPA. The consultation attracted responses from

across civil society, commentators, and industry (including the
finance and insurance, online technology and telecoms, and charity

sectors). The consultation ended on 28 June 2018. Having taken all
the views received during the consultation process into account, the
Regulatory Action Policy (the “RAP”) was submitted to the Secretary

of State and laid before Parliament for approval.

2.33. Pursuant to section 160(1) DPA, the Commissioner published her

RAP on 7 November 2018. Under the hearing “Aims”, the RAP
explains that i seeks to:

e “Set out the nature of the Commissioner’s various powers in

one place and to be clear and consistent about when and how
we use them”;

e “Ensure that we take fair, proportionate and timely regulatory
action with a view to guaranteeing that individuals’ information
rights are properly protected”;

e “Guide the Commissioner and our staff in ensuring that any
regulatory action is targeted, proportionate and effective...”°

2.34. The objectives of regulatory action are set out at page 6 of the RAP,
including:

e “To respond swiftly and effectively to breaches of legislation

which fall within the ICO’s remit, focussing on [inter alia] those
adversely affecting large groups of individuals”.

e “To be effective, proportionate, dissuasive and consistent in our
application of sanctions”, targeting action taken pursuant to the
Commissioner’s most. significant powers on, inter alia,

“organisations and individuals suspected of repeated or wilful
misconduct or serious failures to take proper steps to protect
personal data”.

1 RAP, page 5
152.35. The RAP explains that the Commissioner will adopt a selective

approach to regulatory action.‘ When deciding whether and how to
respond to breaches of information rights obligations she will
consider criteria which include the following:

e “the nature and seriousness of the breach or potential breach”;

e “where relevant, the categories of personal data affected

(including whether any special categories of personal data are
involved) and the level of any privacy intrusion”;

e “the number of individuals affected, the extent of any exposure

to physical, financial or psychological harm, and, where i is an
issue, the degree of intrusion into their privacy”;

e “whether the issue raises new or repeated issues, or concerns
that technological security measures are not protecting the

personal data”;

e “the cost of measures to mitigate any risk, issue or harm”;

e “the public interest in regulatory action being taken (for

example, to provide an effective deterrent against future
breaches or clarify or test an issue in dispute)”.++

2.36. The RAP explains that, as a general principle, “more serious, high-
impact, intentional, wilful, neglectful or repeated breaches can
expect stronger regulatory action”.13

2.37. Pages 24-25 of the RAP identify the circumstances i which the
issuing of a Penalty Notice will be appropriate. They explain, inter

alia, that i “ considering the degree of harm or damage we may
consider that, where there is a lower level of impact across a large

number of individuals, the totality of that damage or harm may be
substantial, and may require a sanction.” The RAP stresses that each
case will be assessed objectively on its own merits. However, i

explains that, i accordance with the Commissioner’s risk-based
approach, a penalty i more likely to be imposed in, inter alia, the

following situations:

1 RAP, pages 6-7 and 10.
1 RAP, pages 10-11.
1 RAP, page 12.
16 e “a number of individuals have been affected”;

e “there has been a degree of damage or harm (which may

include distress and/or embarrassment)”; and

e “there has been a failure to apply reasonable measures
(including relating to privacy by design) to mitigate any breach

(or the possibility of it)”.

2.38. The process the Commissioner will follow i deciding the appropriate

amount of penalty to be imposed i described from page 27
onwards. In particular, the RAP sets out the following five-step
process:

a. Step 1. An ‘initial element’ removing any financial gain from
the breach.

b. Step 2. Adding i an element to censure the breach based on

its scale and severity, taking into account the considerations
identified at section 155(2)-(4) DPA.

c Step 3. Adding i an element to reflect any aggravating factors.

A list of aggravating factors which the Commissioner would take
into account, where relevant, i provided at page 11 of the RAP.

This list i intended to be indicative, not exhaustive.

d. Step 4. Adding i an amount for deterrent effect to others.

e. Step 5. Reducing the amount (save that i the initial element)

to reflect any mitigating factors, including ability to pay
(financial hardship). A list of mitigating factors which the
Commissioner would take into account, where relevant, i

provided at page 11-12 of the RAP. This list i intended to be
indicative, not exhaustive.

3. CIRCUMSTANCES OF THE FAILURE: FACTS

Marriott’s acquisition of the Starwood network

3.1. Marriot acquired Starwood i September 2016. During the
acquisition process, Starwood shareholders received 0.8 shares of
Marriott, as well as $21 per Starwood common stock. After the

acquisition, the Marriott and Starwood computer systems were kept

17 separate, and they remained separate throughout the relevant

period. Marriott did, however, plan on integrating aspects of the
Starwood network into the Marriott network over an 18-month
period i order to create a single, unified network within Marriott’s

security footprint.

3.2. Upon acquisition, but prior to decommissioning the Starwood

network, Marriott made enhancements to the security of Starwood’s
existing IT network.

3.3. During the acquisition process, Marriott states that i was only able

to carry out limited due diligence on the Starwood data processing
systems and databases.'* For the avoidance of any doubt, the

Commissioner i not making any finding of infringement in respect
of the period between Marriott’s acquisition of Starwood and the

entry into force of the GDPR on 25 May 2018. Accordingly, the
Commissioner has not determined whether or not i was possible for
Marriott to conduct due diligence during a takeover. There may be

circumstances i which in-depth due diligence of a competitor i not
possible during a takeover.

3.4. This Penalty Notice concerns the extent to which, after the GDPR
came into effect on 25 May 2018, Marriott adequately prepared the
Starwood systems to protect personal data. In particular, i i

necessary to assess whether the Attack disclosed a failure to ensure
compliance with Articles 5.1(f) and 32 of the GDPR following its entry

into force.

The planned integration of the Starwood and Marriott networks

3.5. The integration of Starwood into the Marriott hotels group began

following the acquisition. While this involved the transferring of data
from the Starwood systems to the Marriott network, the systems

accessed by the Attacker remained segregated from the Marriott
network.

3.6. As a result, the Attack did not involve access to the wider Marriott
network and the Attacker would not have had access to personal
data that was processed only on non-Starwood systems. The

planned migration and the decommissioning of the Starwood

1 See, for example, the representations served by Marriott i response to the Commissioner’s Notice
of Intent (“Marriott's First Representatiopara 1.33.
18 systems was expedited by Marriott after discovery of the Attack and

the decommissioning of the relevant Starwood systems was
completed on 11 December 2018.

The Attack

3.7. What follows i a summary of the key stages of the Attack.

Pre-acquisition infiltration of the Starwood IT systems

3.8. The Attacker installed a web shell on a device within the Starwood

network on 29 July 2014. This device was used to support an
Accolade software application. That application was used by
Starwood to allow employees to request changes to any content of

Starwood's website.

3.9. The installation of a web shell on the server gave the Attacker the

ability to remotely access the system, therefore allowing for the
accessing and editing of the contents of that system. This access
was exploited i order to install Remote Access Trojans (“RATS”) -

malware which enables remote administrator control of the system.
Administrator access allows a user to perform actions above that

permitted by a normal user. As a result, the Attacker would have
had unrestricted access to the relevant device, and any other

devices on the network to which that administrator account would
have had access.

3.10. On an undetermined date, the Attacker installed and executed

“Mimikatz”. This i a post-exploitation tool which allows login
credentials temporarily stored i the system memory to be

harvested. I scanned the server for all the usernames and
passwords stored i this manner i the system and allowed the
Attacker to continue to compromise user accounts, which were

secured using a mixture of single and multi-factor authentication.‘
These accounts were then used to perform further reconnaissance

and, ultimately, to run commands on the Starwood reservation
database, as described below.

3.11. On 15 April 2015, a file named “Reservation _Room_sharer.dmp”
was created on a Starwood device. This file could have been created

1 Marriott’s First Representations, para 1.40 and page 63.
19 by the Attacker with a view to exfiltrating all the data contained i

the table at once.®

3.12. On 21 April 2015, a file named “Consumption_Roomtype.dmp” was
created. This file could have been created by the Attacker with a

view to exfiltrating all the data contained i this table at once.!”

3.13. On 17 May 2016, a file named “reservation_Room_Sharer.dmp” was

created. This file could have been created by the Attacker with a
view to exfiltrating all the data contained i this table at once.*®

3.14. Following Marriott’s acquisition of Starwood, on 31 December 2016

or 1 January 2017,1° additional malware which searched devices for
payment card data, known as “memory-scraping malware”, was

installed on multiple Starwood Devices. Marriott believes, but cannot
be certain, that this action was carried out by a different attacker to

the one responsible for the actions described immediately above.
The memory-scraping malware was executed on 10 January 2017
on eight property management systems, but the malware was not

successful i collecting payment card data from any of the devices.
The eight properties involved were not in the European Union.

Continued Attack, post-acquisition and following the GDPR coming

into force

3.15. On 7 September 2018, the Attacker performed a “count” on the
“Guest_Master_profile” table, which would have told the Attacker

how many rows the table contained.

3.16. This count triggered an alert on the Guardium system placed on the

database (“the Guardium Alert”). Such alerts were applied to
tables which included card details.2° The other tables mentioned
above did not contain payment card information and were not

protected by Guardium software. Thus, no alarm could be triggered
by the actions of the Attacker.

1 Marriott’s First Representations, page 63.
1 Marriott’s First Representations, page 63.
1 Marriott’s First Representations, page 63.
1 Marriott has also provided the alternative date of 1 January 2017 for this installation (see Marriott’s
Second Representations, page 37).
2 “Guardium” i a data protection software produced by IBM.
203.17. The Attacker also exported the “Guest_Master_profile” table into a

“dmp” file (as had previously occurred i relation to the other tables
referred to above).

Discovery and reporting of the breach

3.18. On 8 September 2018, Accenture, the company managing the

Starwood Guest Reservation Base, contacted Marriott’s IT team
regarding the Guardium alert of the previous day. This was the first

Guardium alert relating to the Attack that Marriott had received
since its acquisition of Starwood.

3.19. On 10 September 2018, the “PP_Master” table was exported to a

“dmp” file on the Starwood system.

3.20. Following the Guardium alert, on 9/10 September 2018, Marriott

instigated its Information Security and Privacy Incident Response
Plan. On 12 September 2018, Marriott began to deploy real-time

monitoring and forensic tools on 70,000 legacy Starwood devices.
The purpose of this measure was to monitor the local system and
identify potentially malicious activity i real-time, with findings

reported back to Marriott’s central monitoring server.

3.21. On 15/16 September 2018, Marriott identified further unauthorised

activity from 7 July 2018, specifically the use of credentials of
Accenture employees.

3.22. On 17 September 2018, the presence of a RAT was identified.

Marriott took action to contain the RAT, by blocking the command-
and-control IP addresses used by the RAT.

3.23. In early to mid-October 2018, the Attacker’s use of Mimikatz ona
number of occasions since 2014 was identified, as was the memory-

scraping malware, referred to i paragraph 3.14. On 29 October
2018, Marriott contacted the United States Federal Bureau of
Investigation.

3.24. On 13 November 2018, two compressed, encrypted and previously
deleted files were identified. These files were named

“guest_master_profile” and “pp_master”. On 19 November 2018,
the aforementioned files were decrypted, and i was found that they
respectively contained an export of the Guest_Master_Profile table

and the PP_Master table.

213.25. On 22 November 2018, Marriott notified the Commissioner of a
personal data breach.

3.26. On 25 November 2018, Marriott discovered that a file named
“Reservation_room_sharer.dmp” had been created on a Starwood

device, and on 26 November 2018, Marriott identified a second file
named “Reservation_room_sharer.dmp” which had been created on
a Starwood device, and _ established that a file mamed

“consumption_roomtype.dmp” had also been created.

3.27. On 30 November 2018, Marriott provided a follow-up report to the

Commissioner regarding further personal data breaches. On the
same day, Marriott issued a press release about the Attack and
established a dedicated Starwood incident website. Marriott also

began sending email notifications to affected data subjects on 30
November 2018. In the initial email notification to data subjects,

Marriott informed them that a dedicated call centre had been set up
i order to receive complaints. The email notification did not provide
the telephone number for the call centre, however i did contain a

link to the dedicated website, which included the telephone number
of the call centre. Following telephone contact between the

Commissioner’s office and Marriott, the email was updated to
include the telephone number for the call centre, and Marriott sent
the revised version on 9 December 2018.2!

4.PERSONAL DATA INVOLVED IN THE FAILURE

4.1. The Attacker appears to have obtained personal data i both
encrypted and unencrypted forms. The unencrypted information
included:

a. On the “Guest_Master_Profile_table” file: a numerical identifier
to identify the guest, guest name, gender, date of birth,

whether the guest has been identified as a VIP, whether the
guest i a member of the Starwood loyalty programme and their
account information (“SPG”), mailing address, passport country

code, phone number, fax number, email address, and credit
card expiration date.

2 Marriott First Representations, page 65.
22 On the “reservation_room_sharer_table”: a central reservation
confirmation number, a unique numerical room identifier, guest

name, SPG account information, whether the guest has been
identified as a VIP, a separate VIP code, 5.25 million

unencrypted guest passport numbers (935,000 of which were
passports associated with EEA member state records), country
of guest’s passport, arrival time, departure date, address,

phone and fax numbers, email address, whether the guest has
checked in, flight number and airline code, and the total

number of guests i the room.

On the “consumption_room_type_table”: a reservation

confirmation number, the Guest Master profile ID, a unique
numerical room identifier, room type, number of child guests,

number of adult guests, number of cribs used i the room,
number of rollaway beds designed for adults and the number of
rollaway beds designed for children, guest arrival date;

On the “PP_master_table”: the passport number record specific

decryption key. Marriott considers that this would not be
sufficient to decrypt the passport numbers as a master
encryption key i also required, and does not appear to have

been obtained by the attackers.

4.2. The encrypted information was as follows:

a. 18.5 million encrypted passport numbers, 4,290,000 of which

were associated with EEA member state records.

9.1 million encrypted payment cards, 873,000 of which are
associated with EEA member state records.2?

4.3. Marriott’s estimate i that 339 million guest records were affected.

Of these, 30.1 million were EEA records,** of which 7 million are
associated with the United Kingdom. All data subjects who were

affected pre-GDPR were also affected by the actions of the Attacker
post-GDPR, as the entire contents of the affected tables were
exported to “dmp” files on the Starwood system each time.

2 Marriott’s First Representations, page 65.
2 Marriott’s First Representations, page 65.
2 Marriott’s First Representations, page 65.

23 However, the specific personal data involved differed between
individual data subjects.

5. PROCEDURE

5.1. This section summarises the procedural steps the Commission has
taken. The Annex to this Penalty Notice provides a more detailed
chronology.

5.2. Marriott notified the Commissioner of the Attack on 22 November
2018. In response, the Commissioner commenced an investigation

into the incident. That investigation included various exchanges with
Marriott and considering detailed submissions and evidence.

5.3. On 5 July 2019, the Commissioner issued Marriott with a Notice of

Intent to impose a penalty, pursuant to section 155(1) DPA and
Schedule 16 of the DPA (the “NOI”). The proposed penalty was

£99,200,396.00.

5.4. Marriott made written representations in response to the NOI on 23
August 2019, which are referred to i this Notice as “Marriott’s

First Representations”. Marriott did not request an opportunity to
make oral submissions.

5.5. Between August and October 2019, Marriott and the Commissioner
exchanged correspondence about a number of issues, including (a)
the application of the Commissioner’s Draft Internal Procedure,

which i discussed further below; (b) the application and/or
operation of the Article 60 GDPR consultation process; and (c)

Marriott’s request for further opportunities to make submissions or
representations prior to and during the Article 60 process.

5.6. In a letter dated 6 December 2019, the Commissioner:

a. confirmed that she no longer intended to exercise her discretion
to convene the Panel;

b. confirmed that the Draft Internal Procedure would not be taken
into account in setting any penalty imposed on Marriott, having

considered the detailed representations Marriott had made on
this issue i its First Representations. The letter confirmed that

the Commissioner would continue to apply the EU and domestic

24 legislative framework i conjunction with the Regulatory Action
Policy;

c outlined how the Article 60 consultation process would be

conducted i this case; and

d. agreed to give Marriot the opportunity to make _ further

representations on the Commissioner’s draft decision i Marriott
agreed to extend the six-month period for the issuing of a

penalty notice prescribed i paragraph 2 of Schedule 16 of the
DPA. The Commissioner proposed a new deadline of 31 March
2020.

5.7. The Commissioner’s position on these issues was informed, i
particular, by careful consideration of Marriott’s First

Representations. Given the length and detail of those
representations and the overall complexity of the case, that
consideration took time and considerable resources. That process

also resulted in changes and clarifications to the form and content
of the draft decision.

5.8. The Commissioner was also especially mindful of the fact that she
acted as lead supervisory authority pursuant to Article 60 GDPR i
this case, and that i was therefore important that her investigation

and decision be as comprehensive as possible, since the draft
decision must be submitted for the consideration of other

supervisory authorities pursuant to Article 60(3).

5.9. Although not required by law, the Commissioner considered that a
further opportunity for Marriott to make representations was

appropriate, provided that an agreement could be reached on
extending the statutory timetable having regard, i particular, to:
( the complexity of the case, (ii) Marriott’s representations, and

(iii) the fact that this i one of the first major decisions made under
the new EU data protection regime.

5.10. Following further correspondence, Marriott confirmed on 17
December 2019 its agreement to a statutory extension of time to 31
March 2020. On 20 December 2019, the Commissioner provided

Marriott with a draft decision, and invited i to make further written
representations and to provide any other relevant evidence i wished

the Commissioner to take into account.
255.11. On 31 January 2020, Marriott provided further detailed written
representations on the Commissioner’s draft decision (“Marriott’s

Second Representations”).

5.12. On 12 February 2020, the Commissioner wrote to Marriott
requesting further information and documents which arose from her

consideration of the Second Representations.

5.13. In the light of the length and complexity of the Second

Representations, on 13 February 2020 the parties agreed a further
statutory extension of time until 1 June 2020.

5.14. Between 28 February 2020 and 28 April 2020, Marriott provided the

Commissioner with the information she had requested on 12
February 2020.

5.15. On 3 April 2020 the Commissioner invited Marriott to make further

representations specifically i respect of the financial impact on its
business caused by the Covid-19 pandemic. Marriott provided a
response to this request on 17 April 2020.

5.16. Due to the impact of the Covid-19 pandemic, on 17 April 2020 the
parties agreed a further statutory extension of time for the issuing

of a penalty notice to 30 September 2020.

6. CIRCUMSTANCES OF THE FAILURE: BREACHES

Marriott’s failures

6.1. The Commissioner’s conclusion i that between 25 May 2018, when
the GDPR entered into force, and 17 September 2018, Marriott failed

to comply with its obligations under Article 5(1)(f) and Article 32
GDPR. Marriott failed to process personal data i a manner that

ensured appropriate security of the personal data, including
protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical

and organisational measures as required by Article 5(1)(f) and
Article 32 GDPR.

6.2. This section describes the specific failures to comply with the GDPR

that the Commissioner has found and responds to Marriott’s First
and Second Representations on the Commissioner’s NOI and draft
decision.

26 The relevant standard

6.3. As set out above, Article 5 GDPR requires that personal data shall

be processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorised or unlawful

processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures. The data
controller, in this case Marriott, i responsible for, and must be able

to demonstrate compliance with, that requirement.

6.4. Article 32 GDPR concerns the security of processing personal data

and, taking into account the state of the art, the costs of
implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for

the rights and freedoms of natural persons, requires a controller to
implement appropriate technical and organisational measures to
ensure a level of security appropriate to the risk. Such measures

may include encryption of personal data and a process for regularly
testing, assessing and evaluating the effectiveness of such technical

and organisational measures.2°

6.5. Not every instance of unauthorised processing or breach of security
will necessarily amount to a breach of Article 5 or Article 32. The

obligation under Article 5 GDPR i to ensure appropriate security;
the obligation under Article 32 i to implement appropriate technical

and organisational measures to ensure an appropriate level of
security, taking account of the state of the art, the costs of
implementation and the nature, scope, context and purposes of

processing, as well as the risk to the rights of data subjects.

6.6. When considering whether there has been a breach of the GDPR and

whether to impose a penalty, the Commissioner must therefore
avoid reasoning purely with the benefit of hindsight. The focus
should be on the adequacy and appropriateness of the measures

implemented by the data controller, the risks that were known or
could reasonably have been identified or foreseen, and appropriate

measures falling within Article 5 and/or Article 32 GDPR that were
not, but could and should have been, i place.

2 See also Recitals 76, 77 and 83 GDPR.
2/6.7. Having carefully examined the available evidence, including the
evidence and submissions from Marriott and Marriott’s

Representations, the Commissioner i satisfied that there were
multiple failures by Marriott to put i place appropriate technical or

organisational measures to protect the personal data being
processed on Marriott’s systems, as required by the GDPR

6.8. The NOI and draft decision identified a number of failures by Marriott

to put i place appropriate security measures. Following careful
consideration of the detailed representations received from Marriott,

four principal failures by Marriott are now the subject of this Penalty
Notice, which are outlined below.

Preliminary issue: revised scope of the findings made

6.9. In the NOI and the draft decision, concerns were raised in relation

to the gaps which the Attack identified i the application of multi-
factor authentication (“MFA”) within the relevant Starwood

network. The Attacker was able to access the Starwood Cardholder
Data Environment (“CDE”) because MFA was not applied to a
accounts and systems with access to the CDE.

6.10. Marriott has explained that:

a. i believed that MFA was i place across the CDE because i had

received assurances from Starwood’s management to this
effect;2° and

b. this belief was corroborated by two Reports on Compliance
(“ROCs”), issued by independent PCI DSS?’ assessors on 29
April 2016 (pre-acquisition) and 23 May 2017 (post-

acquisition), which stated that MFA was i place for anyone
requiring access into the segmented CDE and was enabled on

the jump-server v ia 2° Marriott placed
particular reliance i its representations on 23 May 2017 report.

6.11. Having considered, i particular, Marriott’s Second Representations

i response to the draft decision,*? the Commissioner i satisfied
that Marriott did not breach its obligations under the GDPR by

2 Marriott’s First Representations, para 1.40(a).
2 Payment Card Industry Data Security Standard (“PCI DSS”).
2 Marriott’s First Representations, para 1.40(b).
2 Marriott’s Second Representations, paras 3.2 - 3.7 and 3.20-3.24.
28 relying upon the ROCs (in particular, the ROC issued i May 2017)
issued by the PCI DSS assessors to conclude that access to the CDE
was protected by MFA (albeit erroneously). The incomplete
implementation of MFA i not therefore the subject of this Penalty

Notice (and consequently was not taken into account i assessing
the appropriate penalty).

The four principal failures

6.12. Taking into account the representations made by Marriott,*° the
following four principal failures are the subject of this Penalty Notice.

(1) Insufficient Monitoring of Privileged Accounts

6.13. As explained above, the Attacker was able to obtain access to the

CDE by exploiting an unknown gap i the scope of application of
MFA. This failure to secure the ‘outer ring’ of the CDE i not the
subject of this Penalty Notice. Instead, i i of concern that once the

Attacker gained access to the CDE, appropriate and adequate
measures were not i place to allow for the identification of the
breach and to prevent further unauthorised activity (including
further unauthorised processing of personal data). This concern

arises first i respect of Marriott’s failure to put i place appropriate
Ongoing monitoring of user activity, particularly activity by
privileged accounts.

6.14. Marriott had itself determined that there was insufficient monitoring
o p rivleged u sr a ccount|

Whilst Marriott did deploy a Security Operations Centre (“SOC”)

P E , this was insufficient for the reasons given
at para 6.23 below.

6.15. The National Cyber Security (“NCSC”) guidance, published on 17

November 2018, entitled “10 Steps to Cyber Security: Guidance on
how organisations can protect themselves in cyberspace, including
the 10 steps to cybersecurity", lists “monitoring” as one of the
relevant steps. I explains the importance of monitoring to detecting

3 See,for exampleMarriott’s SecRepresentationparas2.2(b)-(c3.1(b)3.8-3.13and
3.25-3.29.
ee
29 or responding to attacks which have already taken place or
commenced:

Detect attacks: Either originating from outside’ the
organisation or attacks as a result of deliberate or accidental
user activity. Attacks may be directly targeted against
technical infrastructure or against the services being run.

Attacks can also seek to take advantage of legitimate
business services, for example by using stolen credentials to
defraud payment services.

React to attacks: An effective response to an attack depends

upon first being aware than an attack has happened or is
taking place. A swift response is essential to stop the attack,
and to respond and minimise the impact or damage caused.

Account for activity: You should have a complete
understanding of how systems, services and information are

being used by users. Failure to monitor systems and their use
could lead to attacks going unnoticed and/or non-compliance
with legal or regulatory requirements.?2

6.16. The NCSC guidance also explains that monitoring activities should

include, inter alia, the monitoring of network traffic and user
activity. This NCSC guidance builds upon earlier guidance published
by the NCSC which i to similar effect. See, for example, the NCSC

guidance entitled “Introduction to identity and access management”
published i January 2018? which refers to: (a) “basic principles to

follow when designing user access management”; and (b) “basic
architectural good practice when designing and administering access
management systems”. Such basic principles and practices include

“operations and monitoring - the supporting processes and
technology to identify and enable investigation of breaches of policy

or controls”. The guidance explains that:

Given the high value to an attacker of compromising your
identity and access management systems they should be
given priority for security maintenance. This means, amongst

other things, prompt application of security patches across
your estate (or otherwise mitigating security issues),
practicing good user and privileged user management, and

3 https: //www.nesc.gov.uk/collection/10-steps-to-cyber-security ?curPage=/collection/10-steps-
to-cyber-security/the-10-steps/monitoring
3 https: //www.ncsc.gov.uk/quidance/introduction-identity-and-access-management
30 applying appropriate protective monitoring. Additionally, we
recommend:

e designing your access control systems to allow for easy
monitoring of account usage and accesses
e being able to tie all user actions in the system to the user that

performed them...”

6.17. Both examples of NCSC guidance detail the basic need for multiple

security techniques, processes and technologies i order to secure
systems. Accordingly, Marriott ought to have been aware of the

need to have multiple layers of security i place i order to
adequately protect personal data. Although Marriott had assured
itself that i had MFA i place** (which, as explained above, the

Commissioner accepts that Marriott did), and had certain additional
security measures i place, this was not sufficient. Marriott ought to

have had i place better monitoring of user activity to aid i the
detection of an attack, as an additional layer of security.

6.18. A forensic report into the incident, dated 11 April 2019, was

commissioned by Marriott and prepared by Verizon (the “Verizon
Report”). I notes that Marriott had not configured logging i

respect of “access to systems and/or applications within the CDE.”?°
Marriott did have the results of the ROCs and its own annual

penetration tests. However, these did not evaluate’ the
appropriateness of the way i which Marriott monitored (including
through logging) the Starwood system or the configurations used

for any such monitoring (including logging). Logging configurations
are not within the scope of these tests. This i not a criticism of the

ROCs or the penetration tests themselves. Rather i reflects the fact
that Marriott ought to have taken steps to irmplement measures
which would identify vulnerabilities which the ROCs and penetration

tests would not identify. Such steps would include the
implementation of effective monitoring (including logging) and

alerts as part of Marriott’s wider security measures. This i the gap
identified by the Verizon Report.

6.19. In this case, appropriate monitoring would have included the

appropriate logging of user activity, especially i relation to
privileged users. The logging of user activity once within the CDE, i

34 Contrary to, for exampara 3.6 of Marriott’s SecRepresentations.
3 Verizon Report, page 18.
31 addition to the logging done by the Guardium software, would have

aided i the detection of unusual account activity (such as where, i
this case, the Attacker regularly utilised legitimate accounts to
perform unauthorised user activity within the CDE). Marriott's failure

to log user activity i this way was inconsistent with its obligations
under the GDPR.

6.20. Marriott states that “no amount of logging would necessarily have
identified an attacker unless the attacker operated from an identified
suspicious IP address, which is not the case in this matter.’*© I i

right to say that no security measure “would necessarily” work,
there being no guarantee that any security measure i wholly

effective. I i also true that i i harder to detect an attacker who i
not operating from a suspicious IP address. However, this i

precisely why the monitoring of legitimate user accounts (including
through logging) within the network for unusual activity i vital. This
i recognised by the NCSC, which states i relation to monitoring:

“these solutions should provide both signature-based capabilities to
detect known attacks, and heuristic capabilities to detect unusual

system behaviour".?’

(2) Insufficient Monitoring of Databases

6.21. In addition to the insufficient monitoring of user accounts and the
user activity linked to those accounts, Marriott failed to adequately

monitor the databases within the CDE. In this respect, the
Commissioner i concerned by the following three failures: (a)

deficiencies i Marriott’s setup of security alerts on databases within
the CDE; (b) the failure to aggregate logs; and (c) the failure to log

actions taken on the CDE system, such as the creation of files and
the exporting of entire database tables.

6.22. Marriott deployed IBM Guardium to monitor activity on the database

within the CDE. As configured by Marriott, IBM Guardium had two
functions. First, i logged activity (such as efforts to create, read,

update, or delete data within a database). Secondly, i issued alerts
i certain circumstances. The problems with the approach adopted
are as follows.

° Marriott’s Second Representations, para 3.39.
3 NCSC “10 Steps to Cyber Security” Guidance, dated2018:ovember
https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps/monitoring
326.23. With respect to logging, there were two main problems:

a. First, whilst Marriott had a security incident event management

system (“SIEM”) and a SOC to collect the logs being generated
by the system, Marriott did not ensure sufficient logging of key

activities such as user activity or actions taken on a database.
The insufficient logging rendered the SIEM and SOC ineffective.
Marriott also insufficiently logged i other areas of its network,

such as firewall and access logs.

b. Second, Marriott did not engage i server logging of the
creation of files (or alternatively i did not use the IBM
Guardium software i a similar way), which allowed the

Attacker to export entire databases to ‘dmp’ files undetected.
Such logging i likely to have been feasible for Marriott as such

mass export of data does not regularly occur within the normal
course of business so as to generate an unhelpful number of
false-positives. This form of logging on the system, and the

evaluation of the created logs, could have enabled Marriott to
detect unexpected activity within the CDE.

6.24. In response to the concerns raised, Marriott has referred to its use
of Proventa and McAfee’s IntruShield (two systems which generate
and aggregate logs).*® These are not, however, sufficient to address

the risks faced by the Starwood network. McAfee’s Intrushield aids
in the detection of zero-day, DoS attacks, spyware, malware,

botnets and VoIP threats, while Proventia operated as an intrusion
detection system. Like Proventa, IntruShield does not address the
shortcomings identified above, namely the failure to monitor

database activity and user actions on network devices.

6.25. Marriott stated i its First Representations, and the Commissioner
agrees, that such logging would not have prevented the Attack i of

itself, but “merely informs a response once the system operator is
aware of the malicious activity”.7° However, regular and close

monitoring and evaluation of logs can assist i the early detection
of attacks, their mitigation, and the prevention of future attacks.
That Marriott did not detect the Attack until alerted by Guardium i

3 Marriott’s Second Representations, para 3.40.
3 Marriott’s First Representations, para 1.61.
33 indicative of Marriott failing regularly to test, assess, and evaluate
the effectiveness of its security measures.

6.26. With respect to the Guardium alerts, the problem was that the
circumstances i which IBM Guardium would issue alerts were

limited i a way which undermined its ability to detect unauthorised
activity within the databases.

6.27. In particular, alerts were only placed on tables that contained

payment card information, and only specific queries (where table
names were directly referenced, such as i a count) triggered

warnings i the system. Although the database as a whole did have
some protection from Guardium,*2 the known actions of the
Attacker prior to 7 September 2018 did not meet the conditions for

the triggering of an alert.*4 Marriott has explained that specific
alerting rules and tables were chosen i order to reduce false-

positives. However, this explanation i insufficient to justify an
approach where only tables including payment card data were
placed within the scope of Guardium rules. Marriott’s focus on

payment card information illustrates a failure to implement
appropriate technical and organisational measures to ensure an

appropriate level of overall security for all other personal data.

6.28. A risk-based approach was required i this case (as acknowledged
i para 1.45 of Marriott's First Representations). Payment card data

i likely to be the highest risk category, and the tables containing
payment card data could therefore warrant higher security than

other tables depending on the sensitivity of the other data held.
However, while a risk-based approach may require payment card
data to have additional security alerts, this does not justify a

complete lack of alerts on tables containing other personal data.
Moreover, the other data held may vary i its sensitivity, requiring
different security measures to be applied to the tables/relevant

processing.

6.29. Marriott stated that i reasonably assumed, based upon the PCI DSS

testing results, that the Guardium alerts i respect of the CDE were
appropriately configured.*2 However, the PCI DSS tests concerned

40 Namely i terms of detecting unauthorised access based on IPs or failed login attempts, which the
Attacker i this incident bypassed through comprouser credentials.
+ As confirmed by Marriott in its correspondence dated 20 D2018, page 6.
4 Marriott’s First Representations, paras 1.43-44.
34 the perimeter defences against an attack rather than monitoring
systems concerned with the detection of an attacker who had

already penetrated the CDE. The tests did not assess the
appropriateness of the discriminatory application of the alerts across

the CDE segment, nor what this meant for the security of categories
of personal data stored i tables which did not contain payment card
information. They do not, therefore, provide the reasonable

assurance which Marriott claims.

6.30. Finally, Marriott suggested that because i believed MFA was

implemented across the CDE, this rendered its reliance on that
authentication tool and the Guardium alerts as _ configured
reasonable and therefore i compliance with Articles 5(1)(f) and 32

GDPR. This i not accepted, monitoring (including logging) of the
types discussed i paras 6.13 to 6.29 above are standard security

measures. Control of access through MFA does not displace the need
for adequate monitoring (including logging) of activities that assist
i detecting a breach once i i i train (see paras 6.15-6.17 above).

(3) Control of critical systems

6.31. As discussed at paragraphs 6.13-6.30 above, Marriott failed to
ensure that the actions taken on its systems were appropriately

monitored. In addition to the use of monitoring and security alerts,
i would have been appropriate for Marriott to implement a form of
server hardening as a preventative measure, which could have

prevented the Attacker from gaining access to administrator
accounts and performing reconnaissance before traversing across a
network.

6.32. In particular, the implementation of whitelisting i one way in which
Marriott could have performed server hardening. Whitelisting i a

form of programming which only allows certain users or IP addresses
to access certain systems or software, as required for their specific
role. I i important i reducing attack surfaces and reducing the risk

of attackers being able to traverse through a network after gaining
entry to a single user account.

6.33. Whitelisting should be deployed where appropriate on critical
systems, and those systems which have access to large amounts of
personal data. The NCSC Guidance states that: “you should develop

a strategy to remove or disable unnecessary functionality from

35 systems.”*? Whitelisting i also described i NCSC Cyber Essentials

guidance as a defence against malware.** This supports advice given
i earlier guidance by NIST. In October 2015 NIST published a guide

to whitelisting which shows how whitelisting can be utilised to
prevent unauthorised software from being installed on a device.*°
In this incident, whitelisting could have aided i halting the

reconnaissance and privilege escalation stage of the Attack.

6.34. There are many forms of whitelisting. Binary software whitelisting i

a form of access control where only authorised software and scripts
can be installed on a given system or user areas. For example, only

allowing pre-approved software such as Microsoft Word and Outlook
to be installed on work laptops. This can be distinguished from other
forms of whitelisting, such as the process by which only authorised

IP addresses can gain access to network resources.*© Whilst i i not
possible to list the devices i relation to which whitelisting could

have been appropriate, at a minimum whitelisting would be
expected on: (a) devices which could be remotely accessed; (b)

devices which store large amounts or, or sensitive categories of,
personal data; (c) any other systems which Marriott regards as

‘critical’ to their network operations; (d) any POS terminals at a
property level; and any other devices which process payment card
transactions.*”? The implementation of binary software whitelisting

would — i correctly implemented - have prevented the installation
and execution of a RAT. While i i true that the RAT was installed

and executed on the system both pre-acquisition and pre-GDPR, and
was therefore not attributable to Marriott, the continued absence of

whitelisting post-GDPR left the systems for which Marriott was
responsible vulnerable to further RAT installations and executions.

6.35. Marriott stated i its First Representations that binary software

whitelisting was rarely implemented by companies at the time of the

See https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps
44 NCSC Cyber Essentials GuidancRequirements for IT infrastructure (dated April 2020):
https ://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure.pdf (pages 10-
11, under the heading “MalwaProtection”). This language was also included i the now archived
version of this guidance, which dated from January 2015:
https: //webarchive. nationalarchives. gov.uk/20150605225501/https://www.gov.uk/government/pu
blications/10-steps-to-cyber-security -advice-sheets/10-steps-secure-configuration--11
45 https: //nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf (dated October
2015). See, i particular, section 2.1 on page 2.
4 See para 1.52 of Marriott’s First Representations.
47“Protecting Point of Sale Devices from Targeted Attacks” (Microsoft), dated 1 April 2014.
https://download. microsoft.com/documents/en-us/Protecting_Point_of_Sale_Devices-
April_2014.pdf. See, i particular, page 5.
36 incident, because i places a heavy burden on IT systems.*®

However, binary software whitelisting was a well-recognised and
established security practice for some time before the GDPR came

into force, and certainly by that date. The NCSC Guidance lists
whitelisting (“prevent unknown software from being able to run or

install itself...") as a “Cyber Essential”. That guidance was published
in October 2015, and therefore pre-dates the GDPR.*° In addition,

there i guidance published by the National Institute of Standards
and Technology (“NIST”), which recognises whitelisting as a better
option than anti-malware.°° The NIST Guidance was published i

2015, and therefore significantly pre-dates the implementation of
the GDPR.

6.36. Marriott also stated i its First Representations that binary software
whitelisting could be circumvented by attackers ‘side loading’ RATS

by using legitimate executable code.>! Whitelisting, like all security
measures, cannot be entirely resistant to attack. However, where

side-loading did take place i the Attack, that appears to have been
because Marriott’s systems vaguely or improperly specified a

dynamic-link library (DLL) which allowed such side-loading to take
place.°* Whilst Marriott i right to suggest that these are risks which
cannot be fully eliminated from any third-party software,>? this only

highlights the fact that Marriott ought to have carried out regular
audits, updates of software and restricted file and directory

permissions. The existence of outdated/obsolete software i also an
issue noted i both the 2017 and 2018 PCI DSS Reports, and these

could have been mitigated by properly reacting to issues discovered
i the penetration tests.

6.37. In any event, no single security measure can fully protect a system
against attack or compromise. I would have been appropriate for

Marriott to have implemented a ‘defence i depth’ strategy, of which
whitelisting could play an important role, i order to protect their
systems against attack and monitor activity on their network i

4 Marriott’s First Representations, para 1.53.
4 See: https: //www.ncsc.gov.uk/information/reducing-your-exposure-to-cyber-attack
5 See: https://www.ncsc.gov.uk/information/reducing-your-exposure-to-cyber-attacthend
reference to “whitelisting and execution control - preventsoftware from being able to run
or install itself.”
5 Marriott’s First Representations, para 1.53.
allow side loading to take place.echniques/T1for an explanationof the vulnerabilities that
5 Marriott’s Second Representations, para 3.31.

37 order to promptly mitigate any unauthorised or malicious actions

that managed to bypass their security controls.

6.38. The measures discussed above are readily available and mature
solutions (i.e. solutions that have been known about i the industry

for a long period of time), which are appropriate and could have
been implemented by Marriott, to the extent necessary, without

entailing excessive cost or technical difficulties. However, i i only
suggested that whitelisting (or equivalent server hardening
measures which would limit the functionality of systems to only that

which i required of them) could be appropriately deployed on (a)
critical systems which attackers may target whilst looking to access

other, sensitive areas of the network, or (b) systems which could
access other (separate) systems containing personal data.

Therefore, i would be appropriate to implement a server hardening
measure across devices with access to the CDE, the CDE
environment itself and any other network devices that could access

either large quantities or sensitive categories of personal data.

(4) Encryption

6.39. Payment card data and, i some cases, passport numbers, were

encrypted by Marriott using AES-128, an industry standard
encryption algorithm. Oracle databases (the Starwood reservation
database included tables stored i an Oracle database) provided the

functionality to encrypt table entries in this way, and i was Marriot’s
responsibility to ensure this was configured correctly.

6.40. However, i keeping with Marriott’s focus on PCI DSS compliance,
encryption was not applied to other categories of personal data. The

Commissioner i particularly concerned that not all passport
numbers were encrypted.

6.41. In its First and Second Representations, Marriott stated that i had

adopted a mature and risk-based approach to cyber security by
targeting its security efforts on the tables containing cardholder

information.** In support of its position, Marriott relied upon a
selective quotation from the NCSC Guidance i its written

54 Marriott’Representations,para 1.27 and 1.63,see also para 3.45 of Marriott’Second
Representations.
38 submissions. However, the Commissioner notes that the full quote
provides as follows:

In some scenarios, the use of encryption to protect bulk data
should be the norm. For example, where data is transmitted

over the internet, stored on a laptop, or stored on removable
media. However, encryption relies on good key management,
and in some scenarios i is challenging to engineer a solution

which makes meaningful use of encryption to protect personal
data. This is sometimes the case in systems which are always

online, where data needs to be available to query. In these
scenarios, your systems architects and designers will
need to think carefully about how encryption can be used

in a meaningful way.”

6.42. However, Marriott has not provided any risk assessments which

demonstrate the evaluative judgement i arrived at and the rationale
for its approach to the encryption of personal data. On the contrary,
Marriott has taken an inconsistent approach by encrypting some but

not all passport numbers. In addition, while i may be true that
cardholder information i of higher risk than other categories of

personal data, this does not vitiate the risk to other categories of
personal data. Thus, while the NCSC guidance quoted above, does
not say that Marriott i required to implement encryption across all

personal data, i does require Marriott to explain why i chose to
selectively encrypt data.°® Even i Marriott reasonably believed that

the CDE was protected by MFA, i was aware - or ought to have
been aware - that no system i fully secure.>’

6.43. Marriott, i its First Representations, also claimed that i would have

been impractical for i to have encrypted any more personal data
than i did.°° However a number of methods exist to facilitate the
identification of the user to which a piece of data refers, so that

decryption of personal data can take place quickly and when
necessary. One method i through the use of a unique identifier

(such as an UUID), which can aid i querying and decrypting
individual pieces of data associated with individual customers where
required i almost real-time. There are also Hardware Security

° See: https://www.ncsc.gov.uk/collection/protecting-bulk-pers(emphasis added).
5 Marriott’s Second Representations, para 3.46(c).
5 Marriott’s Second Representations, para 3.46(b).
5 Marriott’s First Representations, para 1.27(b).
39 Modules which Marriott could have utilised, encrypting data i near
real time at its source and decrypting i at its destination.

6.44. In additionthe level of security that the encrcouldnhave
achievedwas compromisedwithin the Starwooguest reservation
databaseby a script, developby Starwood,which allowedfor
AES-128 encrypted entries i a database table to be dec|ypted. |
ee
ee
ee
ee
a

e e
SS
6 ee
a
a
ee
a
a

a
a
ee
ee
6 ee
a
a

a
a
a
ee
CSC
6 ee
a

ee

agrees that i i unlikely that the attacker did run i the attacker sons of times,le the Commissioner
wished, this could have been achieved i very little timeprocess.uld be run as an automated
6 Marriott’s Second Representations, para 3.46(a). 4oOMarriott’s wider arguments

6.48. In addition to the arguments referred to above, Marriott’s
Representations raised a number of more general legal and/or

factual arguments. This section addresses the following submissions
made by Marriott:

oy First, that the Commissioner had assessed the issue of breach
without reference to “any clear standards”°! reasoned with the

benefit of hindsight and regarded the fact that the Attack was
successful as an indicator that the security measures were

inappropriate.°* Marriott claims that the Commissioner has
applied an “impossibly high standard of care”.°?

Ss Second, that the Commissioner failed to apply a holistic

approach.

a Third, that the Commissioner impermissibly relied upon

Marriott’s pre-GDPR conduct, and incorrectly concluded on a
provisional basis that Marriott had failed to carry out sufficient

and appropriate due diligence.

Qo. Fourth, that the Commissioner erred i referring to Article 25
GDPR i the NOI.®

@ Fifth, that the Commissioner erred i reaching the provisional
view i the NOI that Marriott had breached the notification

requirement under Article 33 of the GDPR.°”

6 Marriott’s First Representations, paras 1.3-1.7.
6 Marriott’sFirstRepresentations, paras 1.8-1.12. See, to similareffect,Marriott’sSecond
Representations,Executive Summary, para 3, and para 3.1(b), and paras 3.15-3.18.
6 Marriott’s First Representations, Executive Summapara 1; para 1.2, see also Marriott’s Second
Representations, paras 3.14-3.18.
64 Marriott’s First RepresentatioExecutive Summary, paras land 5, and paras 1.13-1.15; and
Marriott’s SecondRepresentations, para 2.2(c).
6 Marriott’s First RepresentatioExecutive Summary, paras 3-4, paras 1.18-1.20 and 1.29-1.37.
6 Marriott’s First Representations, para 1.21.
6 Marriott’s First RepresentatioExecutive Summary, para 7, and paras 2.1-2.10 and 2.16.
At f. Sixth, that the Commissioner was wrong provisionally to find

i the NOI that Marriott’s notification to data subjects breached
Article 34 of the GDPR.®

6.49. In its First and Second Representations, Marriott also advanced a
number of points i relation to: (a) the Commissioner’s approach to

determining whether to impose a penalty; and (b) her methodology
i calculating the proposed penalty as set out i the Notice of Intent

and the draft decision. These arguments are addressed i Section 7
below.

(1) The correct approach/standard

6.50. Marriott claims that: (a) the Commissioner’s factual findings were
inaccurate; and/or (b) the Commissioner cannot maintain the
conclusion that appropriate measures were available that Marriott

failed to take to remove and/or mitigate the risk of an attack of the
kind which occurred i this case because she had applied the

incorrect standard or approach.®?

6.51. In the analysis set out above, the Commissioner has clarified certain

factual findings made i the Notice of Intent i the light of the
submissions made by Marriott i both its First and Second

Representations, including by, i particular, clarifying her position i
respect of the incomplete application of MFA.

6.52. Further, paragraphs 6.3-6.8 above, provide an accurate summary
of the position on the relevant standard and set out the

Commissioner’s response to Marriott’s argument that she applied an
incorrect, unduly high, inappropriate or unclear standard i the NOI
and/or draft penalty notice. The analysis set out i Section 6 above

clearly explains the basis for the finding that Marriott failed to put i
place appropriate security arrangements as required by the GDPR

by reference to the specific facts of this case. Contrary to the claims
made i Marriott’s First Representations, the Commissioner has not

applied a one-size-fits-all approach to what measures are
appropriate to secure different types of personal data.”°

6 Marriott’s First Representations, paras 2.11-2.15 and 2.16.
RepresentationsExecutive Summary,,para 3.1.3—1.5 and 1.39-1.70; and Marriott’sSecond
7 Contrary to, i particular, paras 1.16-1.17 of Marriott’s First Representations.

426.53. As the Commissioner has set out above, and as she set out in the

NOI, there were a number of appropriate measure(s) available to
Marriott that an organisation of its scale would be expected to take
to secure its data operations. Contrary to the claims made by

Marriott, this Penalty Notice (nor the NOI/draft decision) do not
proceed on the basis that simply because the Starwood system was

the victim of the Attack, i follows that Marriott breached the
GDPR.’! The reasoning supporting this Penalty Notice, and the NOI
and draft decision, does not adopt such a simplistic approach.

6.54. For essentially the same _ reasons, contrary to Marriott’s
submissions,’* the Commissioner’s findings do not involve applying

the benefit of hindsight i an improper manner, or at a (as already
explained above). The Commissioner i satisfied that there were four

distinct weaknesses i Marriott’s system each of which Marriott
ought to have identified and remedied, using one of the range of
options available to Marriott (as discussed above). The

Commissioner does not rely on the ‘success’ of the Attack as
evidence that a breach of the GDPR definitely occurred. Instead, the

Attacker’s ability to exploit deficiencies i Marriott’s security
measures, for which remedies were available, discloses wider
failures to put appropriate measures i place. In particular, the

failure to encrypt all passport numbers was inadequate. There was
also a failure to place Guardium alerts on tables other than those

which contained payment information, thereby allowing the attack
to go on undetected for a longer period.

6.55. At para 1.12 of its First Representations, Marriott also claims that
there i no basis for the suggestion that, under the GDPR, i ought
to have identified the type of Attack which i the subject of this

Notice, or carried out any further improvements on the Starwood
systems, because the system was the “victim of a sophisticated

attacker, which adopted a multi-vectored approach to its attack and
was able to circumvent numerous protections that were in place”.
However, the sophistication or specific vector of the attack i not the

relevant focus. A controller has to implement appropriate measures
to ensure the security of its systems. The measures mentioned

above could have been implemented using standard industry tools,
and could have prevented, detected and/or mitigated the impact of

7 Marriott’s First Representations, §§1.8-1.9.
7 See, i particular, Marriott’s SRepresentations, paras 3.15-3.18.
43 the Attack. What the Attack disclosed was the failure by Marriott to
put i place appropriate security measures to address attacks of this

kind and/or other identifiable risks to the system.

6.56. Furthermore, Marriott was wrong to state’? that the fact that the

relevant Starwood IT system was due to be retired shortly means
that i was not necessary to put i place the types of appropriate
measures identified above i order to comply with Articles 5(1)(f)

and/or 32 GDPR.

6.57. In particular, Marriott relies on the fact that i originally intended to

decommission the Starwood system i the first quarter of 2018 i
response to the concerns raised about its security measures. I i
important to note that the intended decommissioning was due to

take place approximately a year and half after the acquisition of
Starwood, a long period of time during which data continued to be

processed on the system. In fact, the intended decommissioning did
not take place i the first quarter of 2018; the timetable was altered
such that i was only to be achieved by the end of 2018. Whilst the

Commissioner accepts that Marriott could not have known about the
delay to the decommissioning timetable at the outset,’* i early

2018 Marriott was aware that the GDPR was coming into force and
that i would be continuing to process data within the Starwood
network for a number of months after that. During this period,

appropriate monitoring (including logging), and alerting tools could
have been implemented relatively quickly i order to secure the
systems until their decommissioning at the end of 2018.

6.58. Many of the measures identified i the discussion of the 4 principal
errors above could have been easily implemented as part of the

security improvements which Marriott was already making over this
period. With regards to logging, the appropriate changes to what
was i fact being logged could have been made as part of Marriott’s

SIEM and SOC projects. No additional steps as part of the “general
IT lifecycle process” would have been required.”° Similarly, changes

to the Guardium alert settings could have been made relatively
quickly and easily when IBM Guardium was deployed. The
appropriate server hardening measures could have been

7 Marriott’s Second Representations, para 3.32-3.36.
7 Marriott’s Second Representations, paras 3.35-3.36.
7 Marriott’s Second Representations, para 3.38.
44 implemented within 6-12 months (depending on which measures
Marriott selected and how i chose to implement them).

6.59. The fact that an IT system i due to be retired shortly does not
disapply the GDPR to the data being processed through that system.

Marriott was still obliged to decide what appropriate measures
should be i place i the light of the continued use of the system.
While the fact that a system i to be decommissioned may be a

relevant factor i determining what measures would be appropriate
i a given case, this ultimately does not remove the basic obligation

to put i place security measures appropriate to the risk posed by
the continued processing. This may mitigate against, for example, a
requirement that a controller, even one of the size and scale of

Marriott, put i place expensive, state-of-the-art measures, where
the system i to be decommissioned i the near future. However,

where other appropriate measures are available without entailing
disproportionate cost or delay, they should be put i place i they
are required to ensure a level of security appropriate to the risks

posed by continued processing. As explained above, the specific
measures identified i the discussion of the four principal errors

above are all ones which could have been put i place i a short
amount of time, and which would not have entailed excessive cost.

(2) A holistic approach

6.60. The Commissioner has had regard to Marriott’s detailed submissions

on the security measures i had i place generally, and those i
implemented after its limited due diligence on the Starwood
systems.’© However, the investigation has identified a number of

appropriate measures or steps that should have been taken by
Marriott to address the identified security risks within its system.

The Attack, and/or other attacks which could have occurred as a
result of the deficiencies i Marriott’s systems, identified above,
mean that, even judged holistically, Marriott’s technical and

organisational data security arrangements cannot be regarded as
sufficient or appropriate.

6.61. The Commissioner has also considered Marriott’s submissions about
the improvements made to Starwood’s systems post-acquisition,
which are said to show that i engaged i appropriate due

7 See, i particular, para 1.35 and paras 1.39-1.70 of Marriott’s First Representations.
45 diligence.’”” However, i i notable that none of those steps identified

the relevant, easily detectable, deficiencies i Marriott’s security,
which could have been easily addressed but were exploited during
the Attack. Marriott’s submissions i this regard focus on

improvements i made to its own systems, and which the Starwood
systems / data would benefit from when they were migrated to its

network (paras 1.35(b)-(c) of Marriott’s First Representations). But
this does not meet the concern that Marriott continued to use the
Starwood system without remedying the clear deficiencies i its

security arrangements. I i clear from Marriott’s Representations’®
that only limited changes were made to the Starwood system

because i was expected to be decommissioned sometime i the
future. I i apparent that these changes were not sufficient to

address the failings described above which should have been
addressed given the ongoing processing that was to take place prior
to decommissioning.

(3) Pre-GDPR conduct and due diligence

6.62. Marriott i wrong to argue that the NOI relied upon Marriott’s failure
to appropriately secure its systems and the personal data stored on

them, prior to the period covered by the GDPR. The fact that no such
reliance was placed on the pre-GDPR conduct was made clear i the
NOI itself.7?

6.63. Marriott’s argument i this regard relies on the claim that any duty
to undertake a due diligence process i one which would have to be

discharged prior to or shortly after acquisition. Marriott submitted
that i i not tenable to proceed on the basis that acquisition due

diligence i a “seemingly endless” process.®°

6.64. While the Commissioner accepts that the acquisition of a company /
data processing operations are a trigger for a controller to carry out

due diligence, either immediately prior to acquisition or shortly
thereafter, this i not the only trigger point for such activity. The

need for a controller to conduct due diligence i respect of its data
operations i not time-limited or a ‘one-off’ requirement. In

7 Marriott’s First Representations, paras 1.15 and 1.30-1.35.
7 See paras 1.34 and 1.35(d) of Marriott’s First Representations and paras 3.35-3.36 of Marriott’s
Second RepresentationsSee also para 6.56 above.
7 Marriott’s First Representatparas 2.4-2.10;see also Marriott’s First Representparans,
1.20.
8 Marriott’s First Representations, para 1.20(a) and (b).
46 particular, the coming into effect of the GDPR was, for a global
business like Marriott, a highly relevant factor.

6.65. Controllers such as Marriott would have been aware for some time
that the GDPR was going to come into effect on 25 May 2018. I was

incumbent on such controllers to ensure that their data processing
complied with the provisions of EU law from that date. However,
after May 2018 Marriott continued to process personal data using a

system that was deficient i a number of respects, and those
deficiencies only came to light following the discovery of the Attack

some months later.

6.66. Given Marriott’s ongoing duty to ensure that the systems i had
acquired from Starwood were GDPR compliant, i i no answer to

claim that certain due diligence steps were, or only needed to be,
taken i the period immediately after acquisition. Controllers cannot

process personal data without appropriate security measures being
i place on the basis that the system was deficient prior to May 2018
and has not been remedied. Even i adequate due diligence had been

undertaken at the point of acquisition, that would not have removed
Marriott’s obligation to ensure, on a continuing basis, that i

complied with the GDPR, once that Regulation came into force.

6.67. Marriott recognises this, but relies upon inter alia its PCI DSS
assessment process as the means by which this continuing

obligation was discharged.®t However, PCI DSS assessments are
limited i their ability to detect and mitigate vulnerabilities within a

network, for the reasons given at paragraph 6.29 above. Rather,
adequate and appropriate due diligence would have _ included
reviewing the adequacy of the monitoring (including logging)

systems within the network.

6.68. Thus, for the avoidance of any doubt, this decision relates solely to
Marriott’s failures after 25 May 2018. The Commissioner has not

issued a decision under the Data Protection Act 1998 (“DPA
1998”), despite the historic, pre-2018 nature of the concerns i

respect of the Starwood system.

8 Marriott’s Second Representations, page 47.
47 () A ticle 25

6.69. The Commissioner acknowledges that the NOI, at para 58, included

an erroneous reference to Article 25 GDPR. This was a typographical
error. The penalty figure set out i the NOI did not take into account
any breach of Article 25.

(5) Article 33

6.70. At the NOI stage, a provisional finding of breach of Article 33 GDPR
was proposed. However, this finding no longer forms part of the
decision against Marriott.

6.71. In reaching this decision, the Commissioner did consider Marriott’s
claims that ( the Commissioner failed to identify the date on which
Marriott became aware of the breach;® and (ii) the Commissioner

misapplied the GDPR rules on when a controller must be taken to be
aware of a personal data breach.®?

6.72. However, i i not accepted that the NOI failed to identify the date
on which Marriott became aware of the breach for the purposes of
Article 33 GDPR. The Commissioner identified 8 September 2018 as

the relevant date at para 52 of the NOI: “Marriott had been aware
of unauthorised access to the Starwood systems since the Guardium
alert on 8 September 2018... It would have been reasonable at that

point for Marriott to conclude that personal data was likely to have
been accessed by an unauthorised party.” The reference to the

“dmp” files i para 53 of the NOI cannot reasonably be read as
referring to the identification of the dmp files on 13 November
2018.4 Rather, this was a reference to the fact that on 7 September

2018 the Attacker exported the “Guest_Master_Profile” table - a
table that Marriott knew to contain personal data - into a “dmp’” file.
Marriott was alerted to the presence of the Attacker by Accenture

on 8 September 2018, the day after this took place.

6.73. Marriott was also incorrect to submit that the GDPR requires a data

controller to be reasonably certain that a personal data breach has
occurred before notifying the Commissioner. Rather, a data
controller must be able reasonably to conclude that i i likely a

8 Marriott’s First Representations, -2, 3.2.1
8 Marriott’s First Representations, -2.11.2.4
8 Marriott’s First Representations, para 2.1.
48 personal data breach has occurred to trigger the notification

requirement under Article 33.

6.74. Nevertheless, the Commissioner took into account, i particular,
Marriott’s explanation that a count can be performed on a database

without any of the personal data held on that database being
accessed, and that Marriott’s position i that i was unaware of the

export of the “Guest_Master_Profile” table into a “dmp” file (which
took place on 7 September 2018) until 13 November 2018. ® The
Commissioner has also taken into account Marriott’s submission that

the “Guest_Master_Profile” contained non-personal data, and
therefore i was only with decryption of that file on 19 November

2018 that i became aware of the personal data breach.

6.75. Thus, i this particular case, and i the light of Marriott’s

Representations, the Commissioner has decided not to make a
finding that Marriott breached Article 33 GDPR.

(6) Article 34

6.76. The NOI contained a provisional finding of a breach of Article 34

GDPR. Marriott submitted detailed submissions i response to that
proposal.®

6.77. The Commissioner recognises that Marriott established a dedicated
website regarding the breach, and issued a press release which was
widely-reported.®” Marriott claims in its Representations that a

dedicated website and press release would have been sufficient for
i to have discharged its obligations under Article 34.8° This i

incorrect.

6.78. Article 34(1) requires Marriott to “communicate the personal data

breach to the data subject” (emphasis added). Where this would
involve “disproportionate effort”, Marriott may issue a public
communication or similar measure (Article 34(3)(c)). Sending an

email to data subjects whose current email addresses are stored on
Marriott’s systems i not, on any view, a disproportionate measure.

I i a routine commercial activity. This i supported by the fact that
Marriott did inform the data subjects, via email, very soon after i

8 Marriott’s First Representations, paras 2.4-2.10.
8 Marriott’s First Representations, paras 2.11-2.16.
8 Marriott’s First Representations, para 2.12.
8 Marriott’s First Representations, para 2.14.
49 identified the breach. The Commissioner accepts that some data
subjects will not have been contactable i that way; the most

obvious example being individuals who had changed their contact
details. In these cases, i may have involved a disproportionate

effort to track those individuals down i order to communicate the
breach and, for such individuals, Marriott will have discharged its
duty by way of its press release and dedicated website. However,

Marriott i not entitled to rely upon communications which are
addressed to the world at large (such as its press release and

website) as discharging its duties under Article 34(1) i relation to
all data subjects.

6.79. The Commissioner i accordingly entitled to consider Marriott's

direct communications (including emails) with the affected data
subjects as the means by which Marriott sought to satisfy its

obligations under Article 34 GDPR.

6.80. The email sent by Marriot referred to a “dedicated call centre”, this
being a specific telephone line set up for affected data subjects to

contact for further information, but i did not include the telephone
number. The email, having communicated the “name” of the contact

point, did not communicate the “contact details” of the point where
more information could be obtained. While plainly not deliberate,
these omissions to some extent undermined the effectiveness of the

notification.

6.81. The Commissioner has taken into account the fact that the email

contained a link to the dedicated website, which i turn provided the
telephone number for the dedicated call centre,®? although the email
itself did not. On this occasion, and i light of the information that

Marriott did i fact provide to affected data subjects, this Penalty
Notice does not include any finding that Marriott breached Article 34
GDPR.

7.REASONS FOR IMPOSING A PENALTY & CALCULATION

OF THE APPROPRIATE AMOUNT

7.1. For the reasons set out above, the Commissioner’s view i that
Marriott has failed to comply with Articles 5(1)(f) and 32 GDPR.
These failures fall within the scope of section 149(2) and 155(1)(a)

8 Marriott’s First Representations, para 2.14(a).
50 DPA. For the reasons explained below, the Commissioner has
decided that i i appropriate to impose a penalty i the light of the

infringements she has identified.

7.2. In deciding to impose a penalty, and calculating the appropriate

amount, the Commissioner has had regard to the matters listed i
Articles 83(1) and (2) GDPR and has applied the five-step approach
set out in her RAP.

The imposition of a penalty i appropriate in this case

7.3. Both the RAP and Article 83 GDPR provide guidance as to the
circumstances i which i i appropriate to impose an administrative

fine or penalty for breaches of the obligations imposed by the GDPR.

7.4. Article 83(2) GDPR lists a number of factors that must be taken into

account. These are each discussed i detail below i determining the
appropriate level of fine, i accordance with the steps outlined i the
RAP. The points made below are also relied upon i justifying the

Commissioner’s decision to impose a penalty, i the light of the
findings of infringement set out above.

7.5. The RAP provides guidance on when the Commissioner will deem a
penalty to be appropriate.°° In particular, the RAP explains that a
penalty i more likely to be imposed where, inter alia, (a) a number

of individuals have been affected; (b) there has been a degree of
damage or harm (which may _ include’ distress and/or

embarrassment); and (c) there has been a failure to apply
reasonable measures (including relating to privacy by design) to
mitigate any breach (or the possibility of it).

7.6. As discussed in more detail below, each of those features i present
i this case. Taking together the findings made above about the

nature of the infringements, their likely impact, and the fact that
Marriott failed to comply with its GDPR_ obligations, the
Commissioner considers i appropriate to apply an effective,

dissuasive and proportionate penalty, reflecting the seriousness of
the breaches which have occurred.

° Pages 24-25, see para 2.37 above.
51Calculation of the appropriate penalty

Step 1: an ‘initial element’ removing any financial gain from the
breach*!

7.7. Marriott did not gain any financial benefit, or avoid any losses,
directly or indirectly as a result of the breach. The Commissioner

has not, therefore, added an initial element at this stage.

Step 2: Adding i an element to censure the breach based on its
scale and severity, taking into account the considerations identified
at sections 155(2)-(4) DPA

7.8. Sections 155(2)-(4) DPA refer to and reproduce the matters listed
i Articles 83(1) and 83(2).

The nature, gravity and duration of the failure (Article
83(2)(a))

7.9. Nature and gravity of the failures: The nature of the failures i
of significant concern. As set out above, there were multiple

measures that Marriott could have put i place that would have
allowed for the detection of or mitigated the Attack insofar as i
continued after 25 May 2018.°2 What the Attack shows i that during

the relevant period Marriott was processing data on a system that
had multiple security failings that were exploited by the Attacker

and could have been exploited by others.

7.10. In Marriott’s submissions i has placed a great deal of emphasis on

other security measures i had i place, criticising the NOI/draft
decision for failing to look at the matter holistically.?? This criticism
i misplaced. The Commissioner has carried out a holistic analysis

of the relevant systems and security processes operated by Marriott.
What that analysis showed was that the measures identified i

section 6 above were appropriate to secure the CDE. Marriott’s
implementation (or perceived implementation) of other security

measures was not sufficient. I was appropriate for there to be

° Removing any financial gain the data controllerhave obtainedfrom the infringementi
consistent with ensuring that the penalty i effective, proportionate and dissuasive (Article 83(1)),
and has regard to Article 83(2)(whichrefers to “financial benefits gaor losses avoided,
directly or indirectly, from the infringement. ”
° Marriott’s First Representations at para 3.2(a) have been considered and in section 6
above.
° Marriott’s Second Representations, para 2.2(c).
52 multiple layers of security i this case (for the reasons given at

paragraph 6.17 above).

7.11. An extremely large number of individuals were affected by the

breach, specifically, 339 million guest records, of which — for the
purposes of this penalty - 30.1 million®* were guest records
associated with EEA member states. Marriott has explained that the

total number of affected guests i difficult to estimate from this
figure as i may hold multiple records for an individual guest.°° Even

taking into account that the true number of affected individuals may
be 40% lower than initially estimated by Marriott,°° this i still a

significant number of individuals.

7.12. The mitigating steps taken by Marriott will have gone some way to

reassuring Marriott’s customers and therefore may have reduced or
mitigated the distress that may otherwise have been caused by the
data breach. The assurances given and the mitigating steps taken

by Marriott are taken into account below. I i nevertheless likely
that some of the affected individuals will, depending on their

circumstances, still have suffered anxiety and distress as a result of
the disclosure of their personal information (including payment card

information?”) to an unknown individual or individuals. The
Commissioner has considered i this regard the submissions made
by Marriott i i Representations.°° She notes the following points:

a. The Commissioner has not seen any evidence of financial
damage and i not required to investigate the existence or
otherwise of financial damage.°? In calculating the appropriate

level of penalty, the potential existence of such damage has not
been assumed or taken into account.

b. I i possible that some individuals may have cancelled their
payment cards. Contrary to Marriott’s submissions,!°° the
Commissioner i not required to investigate or identify evidence

of individuals actually cancelling their cards. In circumstances

° Marriott’s First Representations, page 65
° See Marriott’s Second Representations, paras 2.4-2.6.
% Ibid.
° Notwithstandingthe fact that there wano actual financial hato individuals, see Marriott’s
Second Representations para 2.7(a)(i).
° Marriott’s First Representatipara 3.1(d) and Marriott’s SecoRepresentationsparas 2.7-
2.8,
° A paint emphasisedi Marriott’s First Representatipara 3.2(d)(ii)(A); and Marriott’s Second
Representations, para 2.7(a)(i).
100 Marriott’s Second Representations, para 2.7(a)(iii).
53 where a large number of individuals have been informed that

their data, including some credit card data have been
compromised, the Commissioner considers i likely that some
individuals will have taken this step.

c The possibility that some individuals may have been prompted
to cancel their payment cards i just one element of the overall

assessment of whether the breaches of the GDPR were likely to
cause distress. The act of cancelling a card may i and of itself
only cause inconvenience. I i the reason why such action was

necessary, the disclosure of personal information, that can
cause distress amongst some.

d. The fact that the Marriott call centre received 57,000 calls
between 30 November 2018 and 31 May 2019 (7,500 of these
being calls to EU-based call centres) i indicative of the

potential level of concern amongst affected data subjects on
learning of the breach and subsequently.*%

e. Further, even i individuals opted not to cancel their credit
cards, the Commissioner considers i likely that some
individuals will have experienced distress at having their

personal data exposed i a large-scale data breach. Marriott’s
suggestion that distress will only arise i cases where they are

advised by their banks to cancel their payment cards!° ignores
the fact that a personal data (not just financial data) i of
significance to individuals, a significance which i reflected i

the legal protections afforded to that data under the GDPR.

7.13. Duration: Although the Attack itself spanned a four-year period,
the infringements that the Commissioner relies on i this Notice

occurred between 25 May 2018 (the date when the GDPR came into
force) and 17 September 2018. The Commissioner considers this to

be a significant period of time over which unauthorised access to
personal data went undetected and/or unremedied.?°%

101 See further Step 5 below.
102 See Marriott’s SeconRepresentations,para 2.7(a)(iii), whii then contradictedby the
statement i para 2.7(a)(iv), which suggests that card cancellation i merely an “inconveniencan”
not, as suggestei sub-para (iii) a necessary componof a finding of distress.
103 Marriott’s First Representations at para 3.2(b) and Marriott’s Second Representations at para 2.3.
54 The intentional or negligent character of the infringement

(Article 83(2)(b))

7.14. The Commissioner has had regard to the guidelines provided by the

Article 29 Working Party i relation to assessing the character of the
infringement i issue. I explains that:

. In general, “intent” includes both knowledge and wilfulness

in relation to the characteristics of an offence, whereas
“unintentional” means that there was no intention to cause
the infringement although the controller/processor breached
the duty of care which is required in the law.

It is generally admitted that intentional breaches,
demonstrating contempt for the provisions of the law, are
more severe than unintentional ones and therefore may be
more likely to warrant the application of an administrative

fine. The relevant conclusions about wilfulness or negligence
will be drawn on the basis of identifying objective elements
of conduct gathered from the facts of the case...1°

7.15. The Commissioner recognises that the infringement was not an

intentional or deliberate act on the part of Marriott. This has been
taken into account i assessing whether a fine i appropriate i this

case.

7.16. The Commissioner does, however, consider that Marriott was

negligent (within the meaning of Article 83(2)(b) GDPR) i
maintaining systems that suffered from the vulnerabilities and

shortcomings identified i Section 6 above.!°

7.17. In making this determination, the Commissioner places some weight
on the relevant context: a company of the size and profile of Marriott

i expected to be aware that i i likely to be targeted by attackers,
sophisticated or otherwise. Marriott must be aware that the nature

of its business involves processing large volumes of personal data,
including sensitive personal data. The risk of any compromise of that

information may have significant consequences for Marriott’s
customers and its own business.

104 Pp.11-12.
105 Marriott’s general claim at par2.9(b) of its SecoRepresentationrefers to its specific
explanations i section 3 of those representations, which have been i section 6 above.
557.18. In view of these factors, the Commissioner: (a) would expect

Marriott to have taken appropriate steps or a combination of
appropriate steps to secure the personal data of its customers; and
(b) considers that Marriott failed to comply with the standards

imposed by the GDPR i failing to do so. Beyond this, the
Commissioner has not treated the nature of Marriott’s conduct under

Article 83(2)(b) as an aggravating factor i assessing whether to
impose a penalty, or how much that penalty should be. However,
she i obliged to take into account the character of the infringement

under Article 83(2)(b). Thus, she does not consider that she has
erred i “applying this factor”, as Marriott submitted i its First

Representations.1%

7.19. Marriott relied upon the Article 29 WP Guidelines to argue that the

draft decision failed to treat the fact that the breaches were not
deliberate as a positive factor i favour i assessing whether to
impose a fine.‘°” These Guidelines state that intentional breaches

are more likely to warrant the application of a fine. Marriott
submitted that i this i the case, the absence of intention must

weigh in the controller’s favour.

7.20. I i unclear what additional weight Marriott considers the absence
of intention should attract i this case. The mere recognition i the

Article 29 WP Guidelines of the obvious point that a deliberate
breach i more likely to result i certain consequences does not alter

the fact that a penalty may be imposed for a breach of a different
nature (and nor would i be consistent with Article 83 GDPR i fines

only applied to deliberate conduct). The Commissioner has taken
into account the fact that the breaches were not deliberate as part
of her overall assessment (as Marriott recognises?°*). However, i

circumstances where, as here, the breaches were negligent within
the meaning of Article 83(2)(b), that fact must also be taken into

account when assessing whether to impose a fine and, i so, at what
level.

7.21. Marriott also criticised the Commissioner’s analysis as being

duplicative because she had regard to, inter alia, the scale of
Marriott’s processing operations i assessing whether its actions

106 Marriott’s Representations, para 3.3.
107 Marriott’s Second Representations, para 2.9(a).
108 Ibid.
56 were negligent under Article 83(2)(b), as well as i assessing
whether i complied with Articles 5 and 32 GDPR.!°? While i i true

that the Commissioner considered some of these factors when
concluding whether there was a breach of Articles 5 and 32, these

factors are relevant i both contexts. The issue of whether a breach
has arisen, and the nature of Marriott’s responsibility for i are
clearly related issues.

Any action taken by the controller or processor to mitigate
the damage suffered by data subjects (Article 83(2)(c))

7.22. The Commissioner has carefully considered Marriott’s submissions
to the effect that i could not discern from the draft decision how the
mitigation action i took i response to the Attack has been taken

into account because i was dealt with at this Step, rather than at
Step 5.110

7.23. The Commissioner remains of the view that i makes no difference
to the ultimate decision on what, i any, penalty to impose whether
the action taken by the controller to mitigate the damage i taken

into account here, or under Step 5 i this Penalty Notice. However,
she has decided to consider this issue separately under Step 5 i

this Penalty Notice.

The degree of responsibility of the controller or processor
(Article 83)(2)(d))

7.24. As a controller, Marriott i responsible under the GDPR for the
security of its systems and the protection of personal data stored

within those systems. I i required by the GDPR to implement
security measures to reduce the vulnerability of those systems, and
the vulnerability of the personal data processed within those

systems, to attack. While the entry of the Attacker into Starwood’s
systems pre-dates Marriott’s acquisition of that company, Marriott
had an ongoing duty to ensure the safety and security of the

systems i was using to process personal data.

7.25. As i clear from Section 6 above, there were multiple deficiencies i

the security measures i place i respect of the Starwood system,
which Marriott continued to operate to process personal data after

109 Marriott’s Second Representations, para 2.9(c).
110 Marriott’s Second Representations, paras 1.9-1.10, and 1.34.
5/ the GDPR came into force. As a result, the Attacker was able to

remain present and undetected i the system after 25 May 2018
until the triggering of the Guardium alert i September 2018.

7.26. The Commissioner therefore considers that, for the duration of the
infringement on which this penalty i based, Marriott i wholly
responsible for the breaches of Articles 5(1)(f) and 32 GDPR

described above.

7.27. In its Representations, Marriott highlighted the fact that the NOI did

not mention that Accenture provided i with third-party IT
services.'!! In response to the draft decision, Marriott explained that

i its view, the fact that i engaged Accenture to assist i the security
management of the Starwood network should be taken into account

i assessing Marriott’s responsibility for the Attack.

7.28. I i acknowledged that Accenture i an experienced provider of
security services and that i provided services i relation to

Marriott’s security environment. However, the fact that i was
charged with implementing, maintaining or managing certain

elements of the system does not reduce Marriott’s responsibility for
the breaches of the GDPR that have been identified. In

circumstances where Marriott accepts that i i the relevant data
controller, and significant failures i its security measures have been
identified, the engagement of third parties cannot reduce its degree

of responsibility.

7.29, For the avoidance of doubt, however, in taking a holistic view of the

security measures put i place, account has been taken of, for
example, the fact that Guardium was i place and certain alerts were

applied under that system (which Accenture monitored).

7.30. Finally, Marriott i correct to state in its Representations that the

Article 29 WP Guidelines provide that “industry standards... are
important to take into account” when assessing compliance with the
GDPR. The Commissioner has taken into account Marriott’s detailed

submissions on its compliance with PCI DSS standards, i particular
i respect to the concerns which arose i respect of the application

111 Marriott’s First Representatpara 3.5, anMarriott’s SeconRepresentationsparas2.10-
2.11.
58 of MFA across the Starwood network.!!2 However, Marriott’s

obligations under Article 5(1)(f) and Article 32 GDPR go beyond the
requirements of the PCI DSS and extend to all personal data, not

just cardholder information with which those standards are
concerned. The fact that Marriott may have complied with certain
industry guidance focusing on specific types of personal data does

not obviate or reduce its responsibility for the security of all of the
personal data i holds.

Relevant previous infringements (Article 83(2)(e))

7.31. Marriott has no relevant previous infringements or failures to comply

with past notices.

7.32. Marriott claims that this fact should weigh positively i its favour,

rather than neutrally.1t? The fact that Marriott has no relevant
previous infringements i a matter that has been taken into account
i the Commissioner’s decision whether to impose a penalty, and i

her decision as to the appropriate level of that penalty.

Degree of cooperation with supervisory authority (Article

83(2)(f))

7.33. Marriott has cooperated fully with her investigation and this has

been taken into account.

Categories of personal data affected (Article 83(2)(g))

7.34. The Commissioner has identified the relevant categories of personal
data in Section 4 above. As noted there, the data included in some
(but not all) cases unencrypted passport details, details of travel,

and various other categories of personal information including
name, gender, date of birth, VIP status, address, phone number,

email address, and credit card data.

Manner in which the infringement became known to the

Commissioner (Article 83(2)(h))

112 See Marriott’s First Representations, para 3.6 and MarriRepresentationspara 2.12
and Section 3.
113 Marriott’s First Representations, para 3.7.
597.35. Marriott notified the Commissioner of the Attack on 22 November
2018 and i considered to have complied with its obligations i this

respect.

Conclusion at step 2

7.36. Taking into account: (a) the matters set out i Sections 2-4 and 6

above; (b) the matters referred to in this section; and (c) the need
to apply an effective, proportionate and dissuasive fine i the
context of a controller of Marriott’s scale and turnover, the

Commissioner considers that a penalty of £28 million would be
appropriate, before adjustment i accordance with Steps 3-5 below

and the application of the Commissioner’s Covid-19 policy. This
amount i considered appropriate to reflect the seriousness of the
breach and takes into account i particular the need for the penalty

to be effective, proportionate and dissuasive.

Step 3: Adding i an element to reflect any aggravating factors
(Article 83(2)(k))

7.37. The amount of the penalty, as identified at Step 2, may be increased

where there are ‘other’ aggravating factors.'1+ In this case, the
Commissioner does not consider there to be any other relevant

aggravating factors. Thus, no adjustment i made to the penalty
level determined at Step 2.

Step 4: Adding i an amount for a deterrent effect on others

7.38. The Commissioner i under an obligation to impose a penalty which

i “dissuasive”. The need for the penalty to be dissuasive in relation
to Marriott itself i addressed by the analysis at Step 2. Having

regard to the amount of the penalty identified under step 2, the
Commissioner does not consider i necessary to increase the penalty
further under Step 4 to dissuade others.!!°

7.39. The Commissioner i not aware of widespread issues of poor practice
that may be particularly deterred by the imposition of a higher

penalty. Given Marriott’s size and the scale of its operations, and
the fact that the Commissioner has decided to impose a penalty that
already takes those factors into account as part of the need to

ensure that any penalty i proportionate, effective and dissuasive

114 Tn accordance with Article 83(2)(k) GDPR, section 155(3)(k) DPA. and page 11 of the RAP.
115 This makes redundant the points about this Step made by Marriott i i Representations.
60 and to reflect the seriousness of the breach, the Commissioner

considers that no adjustment i necessary under Step 4.

Step 5: Reducing the amount (save that i the initial element) to
reflect any mitigating factors, including ability to pay (financial
hardship) (Article 83(2)(k))

7.40. As explained above, i principle, other relevant mitigating factors
could be taken into account under Step 2 or Step 5 of the RAP.
Previously the Commissioner considered such matters i the round

under Step 2 of the RAP, taking into account the factors in Article
83 GDPR and section 155(3) DPA 2018. However, i the light of

Marriott’s representations for the purposes of this Penalty Notice the
Commissioner has considered the relevant mitigating factors under

Step 5.

7.41. Following the guidance set out at page 11 of the RAP, and having
considered Marriott’s Representations, the Commissioner has taken

into account the following mitigating factors:

a. Marriott had, prior to becoming aware of the Attack, confirmed

in 2018 a new $19 million security investment for 2019, which
raised Marriott’s budgeted spend for that year on security to
$49.5million. Subsequent investment decisions i 2019 have

raised Marriott’s forecasted IT security budget spend on IT
security for 2020 to $108.5million;

b. Marriott took immediate steps to mitigate the effects of the
Attack and protect the interests of data subjects by

implementing remedial measures;

c Marriott cooperated fully with the Commissioner's investigation,
including responding promptly to requests for information;

d. Widespread reporting i the media of the Attack i likely to have
increased the awareness of other data controllers of the risks

posed by cyber-attacks and of the need to ensure that they take
all appropriate measures to secure personal data; and

e. The Attack and subsequent regulatory action has adversely

affected Marriott’s brand and reputation, which will have had
some dissuasive effect on Marriott and other data controllers.

617.42. More specifically, the Commissioner has taken into account the fact
that, upon being alerted to the Attack, Marriott acted promptly to

mitigate the risk of damage suffered by data subjects, by way of the
following technical remedial measures:

a. The deployment of real-time monitoring and forensic tools on
70,000 devices on the Starwood network;

b. Implementing password resets;

c Disabling known compromised accounts; and

d. Implementing enhanced detection tools.

7.43. These measures should allow Marriott to prevent similar breaches i
the future, including by identifying any additional attackers or
malicious software being utilised on its servers.

7.44, The Commissioner has also taken into account the fact that Marriott
also took steps to: (a) establish a notification and communication

regime; (b) create a bespoke incident website i numerous
languages; (c) send 9.2 million notification emails to data subjects
whose country of residence was recorded i the Starwood Guest

Reservation Database as being i the EU); (d) establish a dedicated
call centre; (e) provide web monitoring to affected data subjects;

(f) enhance its data subject rights programme; (g) engage with card
networks; and (h) improve its technical and _ organisational
measures generally.1?© I i also noted that Marriott informed a

number of other regulatory and law enforcement agencies.

7.45. I i acknowledged that the steps outlined above will have gone
some way to reassuring Marriott’s customers, and therefore may

have reduced or mitigated any distress caused by the breach.
However, the fact that the Marriott call centre received 57,000 calls

between 30 November 2018 and 31 May 2019 (7,500 of these being
calls to EU-based call centres)?!’ i indicative of the level of concern
amongst affected data subjects on learning of the breach and

subsequently.1!®

116 Marriott’s First Representations, para 3.4.
117 Marriott’s Second Representations, para 2.7(b)(ii).
118 Contrary to para 2.7(a)(b)(i) of MarriottRepresentations, i i not being suggested that
all of those who called Marriott’s call centre were suffering from distrbut i i likely

627.46. Contrary to Marriott’s submissions,!+9 the fact that very few of these

calls were escalated internally or resulted i a complaint i
irrelevant. The information provided by Marriott suggests that call
handlers had FAQs available to advise customers on how to respond

to the breach etc, which was presumably intended to address most
situations arising.!2° Thus, the fact that only a certain number of

individuals had their calls escalated / resulted i a complaint does
not provide any real indication of the extent to which individuals
were distressed or harmed by the loss of their data.

7.47. Marriot also relied i this regard on a claim that the Commissioner’s
findings of distress and harm were materially undermined because

the centre only received 57,000 calls when millions of individuals
were affected by the breaches.!*! However, i circumstances where:

(a) Marriott had established a dedicated website to address
concerns; and (b) individuals may have sought advice from third
parties and/or acted on their own knowledge and experience, the

comparison between these figures does not undermine the
Commissioner’s findings. The number of calls i sufficiently large to

suggest that there were data subjects who were concerned.

7.48. Thus, while the Commissioner has taken into account, as outlined
below, the steps taken by Marriott to mitigate the impact of its

breaches of the GDPR, she remains of the view that those actions
would not have immediately neutralised all the concerns on the part

of data subjects about their data being i the hands of criminals /
outside of Marriott’s control.

7.49. Having regard to the mitigating factors set out above, i i
appropriate to reduce the £28 million penalty by 20%, i.e. to £22.4
million.

7.50. As a result of the Covid-19 pandemic, Marriott has also argued that
any penalty should be reduced because of the financial hardship i

would cause.

7.51. The Commissioner has considered Marriott’s representations, and
the evidence i has provided. Although the Covid-19 pandemic has

that - as stated here - the majority of callers were at least sufficiently concerned to make the call,
which i inconsistent with Marriott’s position that no or only trivial harm at all would have arisen.
119 Marriott’s Second Representations, para 2.7(b)(iii).
120 Marriott’s Second Representations, para 2.7(b)(iii).
121 Marriott’s Second Representations, para 2.7(b)(iv).
63 had a significant impact on Marriott’s revenues, Marriott’s overall

financial position i such that the Commissioner does not consider
that the imposition of a penalty i the range being proposed will
cause financial hardship, or that Marriott will be unable to pay such

a penalty.

7.52. However, the Commissioner has published guidance entitled “The

ICO’s regulatory approach during the Coronavirus public health
emergency”.'?2 That guidance indicates that “As set out in the
Regulatory Action Policy, before issuing fines we take into account

the economic impact and affordability. In current circumstances,
this is likely to mean the level of fines reduces.” While the proposed

penalty will not cause financial hardship for Marriott, the
Commissioner considers i appropriate to reduce the penalty that

would otherwise have been imposed, i light of the current public
health emergency and associated economic consequences. This i
addressed below, separately from Step 5.

7.53. The Commissioner has carefully considered Marriott’s submissions
that there are other additional mitigating factors that should be

taken into account i this case.!23 However, none of the points raised
justify a further reduction of the appropriate penalty beyond the
discount set out above. In particular:

The Commissioner does not consider i appropriate to further
reduce the penalty by reference to costs to Marriott of taking

measures to rectify or mitigate the impact of its infringement,
including the cost establishing a bespoke website, call centre,

web monitoring, the enhancement of Marriott’s data subject
rights programme, and any other customer-facing remediation
activities. The fact that Marriott was required to expend a large

amount - on Marriott’s assessment i excess of $50 million+
- i customer-facing remediation activities i not directly

relevant to the amount of any penalty. The fact that mitigating
measures were taken, i accordance with Marriott’s obligations
as a controller, has already been taken into account.

122 Version 2.1, 13 July 2020.
123 Marriott’s First Representations, para 3.13(c).
124 Marriott’s First Representations, paras 3.4(a) and 3.13(c)(vi).
64 Marriott’s preparations for the introduction of GDPR are
noted.!2° However, these do not address the Commissioner’s

conclusions on Marriott’s failure to implement appropriate
security measures i relation to the systems i acquired from

Starwood.

The Commissioner has recognised that the Attack involved
persistent criminal activity.17© But this does not alter the fact

that the security of Marriott’s network was inadequate i a
number of respects, and that those failings could and should

have been addressed on a prospective basis through the
implementation of appropriate measures. I i Marriott’s
breaches of Articles 5(1)(f) and 32 GDPR for which i i being

penalised, not the actions of third parties.

The security measures that were deployed on the Starwood

security environment and on the Starwood Guest Reservation
Database are noted.!?” However, the existence of these
measures do not detract from the Commissioner’s conclusions

on Marriott’s failure to implement appropriate security
measures (see section 6). That Marriott took some steps to

secure the Starwood system i not considered to be a mitigating
factor i the circumstances of an infringement of this scale and
severity.

7.54. Accordingly, having carefully considered the mitigating factors
raised by Marriott, which are relevant to the assessment of the
appropriate level of any penalty, the overall penalty payable by

Marriott after Step 5 i £22.4 million.

Application of Covid-19 Policy

7.55. As described above, having regard to the impact of the Covid-19

pandemic (on Marriott and more generally), and consistently with
the Commissioner’s published guidance, a further reduction i
appropriate and proportionate. The final penalty payable will

therefore be reduced to £18.4 million.

125 As relied upon at paras 3.13(c)(iii) of Marriott’s First Representations.
126 Marriott’s First Representations, para 3.13(c)(iv).
127 Marriott’s First Representations, para 3.13(c)(i)-(ii).
65 Application of the fining tier(s) (Articles 83(4) and (5) GDPR)

7.56. The infringement of Article 5(1)(f) GDPR falls within Article 83(5)(a)

GDPR, whereas Article 32 falls within Article 83(4)(a). The
appropriate tier i therefore that imposed by Article 83(5)(a) as this

i the gravest breach i issue i this case.

7.57. In any event, for the year ended 31 December 2017 Marriott has

confirmed that its relevant worldwide annual turnover i $4.997
billion. The penalty the Commissioner has decided to impose on
Marriott i the sum of £18.4 million. This i considerably less than

4%, indeed considerably less than 1%, of Marriott’s total worldwide
annual turnover, and accordingly well within the cap imposed by

Article 83(5) GDPR.

Marriott’s other representations on the decision to impose a

penalty and the appropriate Penalty amount

7.58. Marriott’s Representations contained detailed submissions i
response to: (a) the Commissioner’s decision to impose a penalty at

all; and (b) the proposed penalty amount, as indicated i the Notice
of Intent. The Commissioner has carefully considered those

submissions and, to the extent they have not been addressed above,
responds to them below.

7.59. In summary, Marriott submitted as follows:

a. First, the Commissioner misapplied Article 83(2) i deciding to
impose a fine and in determining the appropriate level of

penalty. A proper application of that Article should result i no
fine being imposed at all or, i the alternative, i should result

i the imposition of only a low level of penalty;!2°

b. Second, the Commissioner unlawfully applied an unpublished
internal document, entitled “Draft Internal Procedure for

Setting and Issuing Monetary Penalties”, i setting the
proposed penalty on Marriott which was included i the NOI.+29

However, setting a proposed penalty amount without the Draft

128 Marriott’s First Representations, Executive para 8 and Section 3; and Marriott’s Second
Representations, Section 2.
129 Marriott’s First RepresentatExecutive Summary,para 9(a) and paras 4.2-4.12, 4.14(e),
4.19,
66 Internal Procedure (or similar), as the Commissioner did i the

draft decision, also offends the principle of legal certainty.1*°

c Third, the Commissioner erred by relying on turnover as the

sole metric i determining the level of fine proposed i the NOI,
and i continuing to treat turnover the most important factor i

its quantification analysis i the draft decision;+3!

d. Fourth, the Commissioner has applied the wrong fining Tier

under Article 83 GDPR i calculating the proposed fine;+%

e. Fifth, the Commissioner erred in the NOI by applying an uplift

to ensure an appropriate deterrent effect; 17?

f Sixth, the Commissioner breached Marriott’s legitimate

expectation that she would operate her fining powers under the
GDPR i accordance with past precedents, i.e. decisions made,

under the DPA 1998 and/or only applying incremental increases
to the fines that would have been imposed under the 1998 Act

(which was subject to a £500,000 maximum fine limit).1*4 This
same failure, which Marriott described as a failure to comply

with the “Precedents-Based Approach”, i also said to amount
to a breach of the principle of legal certainty.1*° In its Second

Representations, i particular, Marriott contends that i the
absence of any new guidance providing clear and specific

quantification methodology determining how fines are to be
calculated, any decision to issue a fine would breach that

principle.17© In this regard Marriott also relies on a comparison
with a case decided by the Financial Conduct Authority (the

“FCA”) i respect of Tesco Bank.'?” I also relies on an alleged
inconsistency between the penalty proposed i this case and
those imposed through other decisions issued by the

130 Marriott’s Second Representations, Executive summary, para 1 and paras 1.1-1.5.
131 Marriott’s First RepresentatiExecutive Summary, para 9(b), and paras 4.14-4.15and
Marriott’s SeconRepresentations, paras 1.35-1.38.
132 Marriott’s First Representations, Executive Summary, para 9(b), and paras 4.16-4.17.
133 Marriott’s First Representations, paras 4.24-4.30
134 Marriott’s First Representations, Executive Summary, para 9(c), and paras 4.36-4.41; Marriott’s
135 Marriott’s First RepresentatiExecutive Summary,d para 9(c), and paras 4.50-4.73and
Marriott’s SeconRepresentationsExecutive Summary, para 1, and para 1.1.
136 Marriott’s Second Representations, Executive Summary, para 1 and paras 1.6-1.11.
137 Marriott’s First Representations, paras 4.3and Marriott’s SeconRepresentationsparas
1.26-1.27

67 Commissioner and by other European supervisory

authorities.+#8

g. Seventh, the Commissioner has acted contrary to the RAP

because she has failed to calculate the penalty proposed i the
NOI and the draft decision i accordance with its terms;+79 and

h. Eighth, the Commissioner proposed a penalty i the NOI which

i disproportionate on its face NOI, and the revised penalty set
out i the draft decision remains disproportionate.14°

(1) Application of Article 83(2)

7.60. The Commissioner has described at paragraphs 7.3-7.53 how the
factors listed i Article 83(2) apply to the facts of this case. In its

Representations, Marriott criticised the Commissioner’s findings i
this regard. Where necessary those criticisms have been addressed

at each step of the analysis set out above and/or i Section 6 above.

(2) Draft Internal Procedure

7.61. Prior to issuing the NOI i this case, the Commissioner had
developed a Draft Internal Procedure for calculating proposed fines,

as a supplement to the RAP. Its purpose was to provide an indicative
guide, by reference to the turnover of the controller, as to the

appropriate penalty. As the GDPR i a new regime, this additional
tool was intended to assist the decision-makers i applying Article

83 GDPR and the RAP to the facts of a particular case.

7.62. Marriott made detailed submissions on this issue.‘4+ The

Commissioner has considered those submissions i deciding how to
approach the calculation of the penalty to be imposed i the draft
decision, and ultimately i this Notice.

7.63. The Commissioner remains of the view that the controller’s turnover
i a relevant consideration i determining the appropriate level of

penalty (see below), but she has decided that the Draft Internal
Procedure should not be used. Therefore, i deciding the appropriate

138 Marriott’s Second Representations, Executive Summary, para paras 1.12-1.19.
139 Marriott’First Representationsparas4.42-4.49; and Marriott’s SecondRepresentations,
Executive Summary,para 2, and paras 1.32-1.34.
140 Marriott’s First RepresentatiExecutive Summary, para 9(d), and paras 4.74-4.77,and
Executive Summary,para 1, and paras 1.39-1.41 of Marriott’s SRepresentations.
141 See paras 4.2-4.12 of Marriott’s First Representations and parag1.2-1.5 of Marriott’s
Second Representations i particular.
68 penalty i this case the Commissioner has not relied on the Draft
Internal Procedure (she did not rely upon i for the purposes of her

draft decision, and the same approach was adopted i preparing this
Penalty Notice). She has instead relied only on Article 83 GDPR,

section 155 DPA and the RAP. The approach taken to the calculation
of the penalty for the purposes of this Notice i set out above.

7.64. Marriott i wrong to assert that, but for its pressing for disclosure i

correspondence, the Commissioner would not have disclosed the
draft guidance document.!42 The policy was provided on 2 August

2019 i response to a request made i a letter from Marriott dated
24 July 2019. The NOI set out how the penalty was arrived at. The
Commissioner also provided further information about how the

penalty was calculated i her letter of 17 July 2019. The
Commissioner i obliged to consult the controller on the NOI and she

did so. Marriott took the opportunity to make detailed submissions,
and the Commissioner has carefully considered all those
submissions, and acted upon them to address the concerns raised.

7.65. Marriott’s First Representations also criticised the use of a
percentage range as part of its process for calculating the proposed

penalty (applying the Draft Internal Procedure) and/or the way i
which the Commissioner applied the turnover bands at the NOI.147
As this approach has not been adopted i this Notice, nor has the

Draft Internal Procedure been applied, the Commissioner does not
respond to the individual points made by Marriot on the application
of the Draft Internal Procedure further here.

7.66. In its Second Representations, Marriott states that whilst i
welcomes the fact that the Draft Internal Procedure i no longer

relied upon by the Commissioner, (a) the Commissioner cannot rely
upon the £99.2m figure proposed in the NOI as a reference point
when assessing the legality or proportionality of the present

proposed penalty figure;!** (b) the RAP cannot constitute an
adequate basis for the calculation of a penalty i circumstances

where the Commissioner had previously devised the Draft Internal
Procedure;!*° and (c) i the absence of the Draft Internal Procedure,
there i a lack of clarity governing penalty calculation and

142 Marriott’s Representations, paras 4.2 and 4.8.
143 Marriott’s Representations, paras 4.19-4.23.
144 Marriott’s Second Representations, para 1.3.
145 Marriott’s Second Representations, para 1.4.
69 undermines legal certainty.!*© These points are not accepted for the
following reasons.

7.67. First, the Commissioner does not seek to use the figure of £99.2m,
as proposed i the NOI, as a “reference point” for the penalty set i

the draft decision, or the present penalty. Rather, the Commissioner
carried out a fresh calculation exercise having regard to the factors
listed under Article 83 of the GDPR and the RAP. See further para

7.128 below.

7.68. Second, the Draft Internal Procedure was not developed to ‘cure’

any gap i legal certainty left by the RAP. I was intended to be a
helpful supplement to the RAP for internal decision-making
purposes. In deciding what level of penalty may (at the consultation

stage) or i appropriate i this case, the Commissioner has always
applied the approach set out i the RAP, and considered the factors

under Article 83 GDPR. The fact that a document was created to
provide supplemental detail to the RAP does not render the RAP so
deficient so as to prevent a penalty being calculated i this case.

Marriott’s submissions on legal certainty are addressed i more
detail below.

(3) The Commissioner’s reliance on Marriott’s turnover

7.69.
Marriott advanced a number of criticisms of the Commissioner’s
reliance on turnover i calculating her proposed penalty in its First
and Second Representations (see, for example, para 4.14 of its First

Representations).

7.70. First, Marriott submitted that the only metric the Commissioner used
to calculate the penalty proposed i the NOI was turnover. This i

incorrect. As i clear from the NOI itself, while turnover was used as
a starting point in seeking to assess the appropriate penalty, a range

of other relevant factors were considered i accordance with the RAP
and the GDPR. In any event, the turnover-bandings set out i the
Draft Internal Procedure has not been used i preparing this Notice.

7.71. Second, Marriott submitted that turnover cannot be regarded as a
core metric i a case such as this where the wrongdoer has not

profited from the breach. Marriot claimed that there i no logical
relationship between the breach and the controller’s turnover. The

146 Marriott’s Second Representations, para 1.5.
70 Commissioner’s approach, Marriott said, simply punishes a
controller for being a large undertaking. Marriott compares the

penalty proposed i this case to the Commissioner’s decision
regarding Doorstep Dispensaree Ltd, dated 20 December 2019,

suggesting that this shows that the Commissioner i treating
turnover, unjustifiably, as the most important factor.**’

7.7/2. The Commissioner does not accept these arguments. She considers

turnover to be a relevant consideration i determining the
appropriate level of penalty i this case (as well as i other cases

not involving a controller profiting from a breach), for the following
reasons:

a. A turnover-based approach i consistent with the approach
taken to penalties i the GDPR. The Data Protection Directive

did not prescribe the level of fines that Member State
authorities should impose for data breaches. The GDPR departs
from that approach. In doing so, i expresses the maximum

penalty in terms of a percentage of turnover. Turnover i
therefore a relevant factor i determining the appropriate level
of penalty to be imposed. This i also reflected i the Recitals,

which make clear that the economic position of the controller i
relevant even where the controller i a private person and not
an undertaking: “ Where administrative fines are imposed on
persons that are not an undertaking, the supervisory authority

should take account of the general level of income in the
Member State as well as the economic situation of the person
in considering the appropriate amount of the fine.”

b. Further, and i any event, the Commissioner i obliged to
ensure that any penalties imposed are “effective, proportionate

and dissuasive”. Having regard to a data controller’s turnover
complies with this principle by ensuring that the level of any
penalty i not only proportionate, but i also likely to be an
effective and dissuasive deterrent for the undertaking on which

i i imposed, and other equivalent controllers. I i self-evident
that imposing the same penalty on an undertaking with a
turnover of billions of pounds as would be imposed on a small

or medium sized business would not be effective, proportionate
or dissuasive. Comparable regulatory regimes that share the
GDPR’s emphasis on deterrence, such as under competition

147 Marriott’s Second Representations, paras 1.36-1.37.
71 law, also take turnover into account i i some form in setting
penalties.

c Marriott’s claim that the introduction of the maximum amount
safeguard caps i Articles 83(4) and (5) does not mean that

turnover can be treated as a relevant metric i incorrect, for the
reasons articulated i points (a) and (b) above.!*° In particular,
Marriott’s claim that treating turnover as a relevant metric

“outside of disgorgement of profits cases is illogical and
perverse”, does not withstand scrutiny. I i plain from the
relevant provisions of the GDPR, read as a whole, that the
economic position of a controller i one relevant factor i

determining what penalty i appropriate on the particular facts
of any case. The GDPR does not limit the relevance of turnover
to cases involving disgorgement.

d. As to the decision i Doorstep, the difference between the
turnover of that controller and Marriott i obviously relevant.

However, each case i considered on its individual facts.
Marriott’s attempts to compare the number of records involved,
and then scale up the appropriate level of fine (60 times the

number of records, results i a maximum 60 times higher level
of fine), are misconceived. See further paras 7.116-7.119
below.

7.73. Third, Marriott submitted that any penalty regime engages the

fundamental rights of controllers, including their fundamental right
to property as provided for under Article 1 of Protocol 1 of the

European Convention on Human rights, and Article 17 of the EU
Charter of Fundamental Rights.149 The Commissioner recognises
that i imposing a penalty on a controller, she must comply with any

relevant fundamental rights that are engaged, including under the
ECHR or the EU Charter. However, i i not accepted that taking into

account a controller’s turnover i determining the appropriate
penalty i incompatible with those rights because i i arbitrary or
results i grossly disproportionate levels of penalty (as Marriott

contended at para 4.14(c) of its First Representations). I i an
approach that complies with the regime established by the GDPR.

148 Marriott’s First Representations, para 4.14(d).
149 Marriott’s First Representations, para 4.14(c).
127.74. Fourth, Marriott contended that the turnover approach _ i

inconsistent with the RAP.!°° This i incorrect.

7.75. As explained above, the calculation of the proposed penalty i the
NOI was not exclusively based on turnover, contrary to Marriott’s

claim. I took account of the various factors discussed i the RAP.
This Notice addresses each step of the process of the RAP in turn to

make even clearer that the penalty has been set i accordance with
its terms. Turnover i relevant to establishing whether a penalty i
appropriate, proportionate, effective and dissuasive i applying the

steps set out in the RAP, as explained above.

7.76. Moreover, Marriott’s reliance in this regard on reference in the RAP

to circumstances i which the Commissioner will convene an
advisory panel i misplaced.1>! The RAP describes “very significant”

penalties as those “expected to be those over the threshold of 1M”
i that particular context, i.e. the context i which the Commissioner
may convene an advisory panel. This was not intended to be - and

i any event cannot objectively be read as giving - an indication to
controllers of the likely penalty they may face i the event of a data

breach, particularly in light of the provisions of GDPR. The section
of the RAP setting out how penalties will be calculated does not refer
to the concept of “very significant” penalties at all.

7.77. Consequently, the RAP’s discussion of when an advisory panel may
be convened i no basis for saying that turnover i not a relevant

factor i determining penalty. Marriott was also therefore wrong to
claim in its Representations that: (a) the £1million figure referred to

i the discussion of when an advisory panel may be appropriate
should be the starting point for calculating fines i the most serious
and significant cases before the Commissioner;1>* and (b) the

Commissioner must justify imposing any fine above that threshold
figure. This i a misreading of the RAP, see further below.

7.78. Firth, Marriott contended that what the Commissioner should have
done i quantifying the appropriate penalty was to “(a) start with
what an infringement of this nature is objectively worth in penalty

terms having regard to its nature, gravity and duration, irrespective
of the financial stature of the wrongdoer; then (b) add or take away

150 Marriott’s First Representations, para 4.14(f).
151 Page 26 of the RAP. See also para 4.46 of Marriott’s First Representations.
152 Marriott’s First Representations, para 4.46.
13 amounts to reflect respectively aggravating and mitigating factors;

before moving at the final stage of the analysis to (c) the question
of whether, in view of all the circumstances, some increase in the
penalty is required to ensure a deterrent effect.”'>?

7.79. The Commissioner’s approach i set out above. She has considered
each step of the RAP, and a of the factors listed i Article 83 GDPR,

i order to arrive at the overall appropriate penalty. Given that the
financial stature of the wrongdoer would need to be taken into
account at least i considering whether an increase i fine would be

necessary to secure a deterrent effect, i i not clear that adopting
the alternative structure proposed by Marriott would make any

material difference to the outcome.

(4) The appropriate tier

7.80. In response to the NOI, Marriott submitted that the Commissioner

had applied the wrong fining tier. I was said that the Commissioner
incorrectly categorised the breaches i issue as a Tier 2
infringement, allowing for a maximum fine of 4% of turnover.!>4 This

submission was based, i summary, on the following points:

a. Article 5(1)(f) i simply a shorter, summary version, of the

more detailed and specific obligation i Article 32. Article 32
GDPR therefore amounts to the /ex specialis of Article 5(1)(f)
and should therefore take precedence.

b. The maximum fine should be 2% in this case because:

i Any ambiguity in the wording of a provision of law
imposing a civil penalty should be resolved i favour of the

controller.

i |The wording of Article 83(4) makes clear that the intention
was to impose this lower maximum cap for breaches of
Article 32, which i the /ex specialis.

7.81. The Commissioner does not accept these submissions, for the

following reasons.

153 Marriott’s First Representations, para 4.15.
154 Marriott’s First Representations, paras 4.16-4.17.
747.82. First, the GDPR addresses expressly what the appropriate maximum

fine should be when a controller breaches the “basic principles of
processing” under Article 5 GDPR. Article 5(1)(f), as one of the basic
principles of processing, cannot be dismissed as simply a summary

of a later new provision included i the GDPR. The EU legislature has
made i clear that a higher penalty i appropriate where a controller

i found to have breached the basic principles of processing that
underpin the regime. Contrary to Marriott’s submissions, Article
83(5)(a) provides i clear i explicit and unambiguous terms that

4% i the appropriate cap for breaches of Article 5, including Article
5(1)(f).

7.83. Second, the GDPR also recognises that the same or linked
processing operations may give rise to infringements of several

provisions of that Regulation. I addresses this by making clear that
the total amount of any penalty i to be the subject of the amount
specified for the gravest infringement (see Article 83(3)).

7.84. Third, the principle of /ex specialis means that “where a legal issue
falls within the ambit of a provision framed in general terms, but is

also specifically addressed by another provision, the specific
provision overrides the more general one.”!>> The Commissioner
does not accept that the application of the /ex specialis principle

precludes the Commissioner from treating this case as a Tier 2
infringement.

7.85. Article 5(1)(f) and Article 32 are evidently distinct provisions of the
GDPR, notwithstanding the degree of overlap. Article 32 applies to

processors, whilst Article 5 does not. Contrary to Marriott’s
submission, there i no basis upon which to give Article 32
precedence over Article 5(1)(f). They can be applied to controllers

at the same time: Article 32 does not override the basic
requirements laid down in Article 5(1)(f), read with Article 5(2),

which establish the responsibility of the controller for demonstrating
compliance with the security obligation and any breach of that
principle.

7.86. Further, and in any event, the provisions in Article 83(4) and Article
83(5) are distinct provisions which make explicit provision for

155 R (Hallam) v Secretary of State for Justice [202 at [144]. See also Case T-60/06 RENV
I Italy v Commissio(2016), at [81].
15 different fining tiers to apply to breaches of Articles 5 and 32 GDPR.
I i clear that any infringement of Article 32 falls within the scope

of Article 83(4) whilst an infringement of Article 5(1)(f) falls within
the scope of Article 83(5). Article 83(4) i not more specific than

Article 83(5). I i incapable of overriding or taking precedence over
i Rather, any issue as to which maximum penalty applies i
resolved by the application of Article 83(3) which states i terms

that i these circumstances “the total amount of the administrative
fine shall not exceed the amount specified for the gravest

infringement.” The legislation itself provides the mechanism for
addressing circumstances i which processing engages more than
one obligation.

7.87. The Commissioner notes that her interpretation of Articles 83(4)-(5)
i supported by the Article 29 Working Party’s Guidelines on the

application and setting of administrative fines for the purposes of
the GDPR, which states:

Specific infringements are not given a specific price tag in the

Regulation, only a cap (maximum amount). This can be indicative
of a relative lower degree of gravity for a breach of obligations

listed in article 83(4), compared with those set out in article
83(5). The effective, proportionate and dissuasive reaction to a
breach of article 83(5) will however depend on the circumstances

of the case...

The occurrence of several different infringements committed

together in any particular single case means that the supervisory
authority is able to apply the administrative fines at a level which
is effective, proportionate and dissuasive within the limit of the

gravest infringement. Therefore, if an infringement of article 8
and article 12 has been discovered, then the supervisory authority
may be able to apply the corrective measures as set out in article

83(5) which correspond to the category of the gravest
infringement, namely article 12....1°°

7.88. Fourth, i any event, Marriott’s main objection to the use of the 4%
maximum penalty appears to be its impact on the turnover-bands
applied under the Draft Internal Procedure, which was applied i

calculating the proposed fine included i the Notice of Intent. As this

156 Pages 9-10.
16 approach has not been adopted i determining the final level of
penalty to be imposed by this Notice, the same concerns do not

arise. I i noted that the final penalty imposed i well below the 2%
cap, and so the application of that cap i reaching the final decision,

as opposed to a 4% cap, would have made no difference.

7.89. Marriott also asserted i a single paragraph of its First
Representations that the Commissioner’s approach to quantification

i “wholly arbitrary”.'°’ This i not accepted, either as a criticism of
the NOI or this Notice. I appears that this argument rested on

Marriott’s contention that there are no clear and precise rules i
place governing the setting of the penalty by the Commissioner. This
claim i addressed below.

(5) An uplift to ensure a deterrent effect

7.90. Marriott claimed that the proposal i the NOI to increase the
proposed penalty for the infringement to 2.5% to ensure that i

would have a sufficient deterrent effect was arbitrary and
unlawful.1°° This i not accepted. The Commissioner i obliged to
consider whether such an uplift should be made under the RAP and

Article 83 GDPR.

7.91. Marriott's criticisms of the NOI in this regard relied heavily on its

criticisms of the previous use made of the Draft Internal Procedure’s
turnover-based approach i setting the proposed penalty at that
stage.'°°? These points have been addressed above. I i however,

important to note that para 61(d) of the NOI explained that i the
light of the scale and severity of the infringement and factors
discussed i para 61(a)-(c), a penalty of between 1.5 and 2% would

be appropriate and proportionate. Para 61(f) then went on to
consider what an appropriate uplift would be to ensure a deterrent

effect, which was a separate issue that warranted individual
consideration at a later stage of the analysis. These are separate
steps under the RAP (see Section 2 above). I i therefore incorrect

to assert, as Marriot did, that any uplift from the judged starting
point means that the Commissioner: “is knowingly imposing a

disproportionate penalty sum. °°

157 Marriott’s First Representations, para 4.18.
158 Marriott’s First Representations, para 4.24.
159 Marriott’s First Representations, paras 4.25-4.30.
160 Marriott’s First Representations, para 4.25.
ae7.92. In any event, as set out above under Step 4, no additional amount
has been added in this case for deterrent effect.

(6) Legitimate Expectation and Legal Certainty

The alleged legitimate expectation

7.93. In response to the NOI and draft decision, Marriott relied on

selective quotes from public statements made by the Commissioner
or her office about the new GDPR regime to contend that fines under
the GDPR should be set i accordance with past precedents, i.e.

decisions made under the DPA 1998.'6! What Marriott seeks, i
effect, i for the Commissioner unilaterally to impose the previous

domestic cap and approach to fines which applied i the UK prior to
the harmonised regime under the GDPR.

7.94. Plainly i i not open to the Commissioner, as a matter of domestic

or EU law, to adopt unilaterally an approach that would undermine
the object and purpose of the new EU regime.

7.95. The GDPR, and consequently the DPA, represent a significant
departure from the regime under DPA 1998 and the 1995 Directive.
The GDPR was expressly intended to harmonise the rights of, and

protections afforded to, data subjects across the EU. I differs
markedly from the 1995 Directive, most obviously i that i
introduces significantly higher and more effective penalties, with

maximum penalties defined expressly by reference to turnover. The
GDPR also imposes new obligations on controllers, including new

organisational requirements such as the designation of a data
protection officer and new provisions on the lawfulness of
processing. The GDPR and the DPA have significantly changed the

legal landscape i data protection and enforcement.

7.96. Marriott’s submissions are to the effect that public statements made

by the Commissioner override these changes, and as such she i
bound to apply i effect the DPA 1998 and/or only apply incremental
increases to the level of fine that would have been issued under that

Act. Public statements made by the Commissioner or her staff, which
are i any event quoted selectively and/or taken out of their proper

context by Marriott, are incapable of achieving this outcome.

161 Marriott’s First Representations, paras 4.37-4.41. See also Marriott’s First Representations, paras
4.65-4.66, see also Marriott’s SRepresentations, para 1.28-1.31.
187.97. More specifically, the public statements referred to by Marriott i its
Representations were not intended to be - and cannot objectively

be read as - assurances to any controller that the Commissioner
would not use her powers on a case by case basis, to impose

effective, proportionate and dissuasive penalties i appropriate
cases. Marriott disputes this, however, the Commissioner maintains
her position for the following reasons:

a. Marriott refers to a blog post published by Elizabeth Denham
on 9 August 2017.1 Whilst i i true that the post states that

the Commissioner will not “simply scale up penalties” issued
under the DPA 1998, i also states: “Don’t get me wrong, the
UK fought for increased powers when the GDPR was being

drawn up. Heavy fines for serious breaches reflect just how
important personal data is in the 21°* century world. We intend

to use those powers proportionately and judiciously.”

b. Marriott refers to a speech made by James Dipple-Johnstone at
the Data Protection Practitioner’s Conference on 9 April 2018,/°

however the quotation which Marriott selectively cited i
preceded by a summary of the approach the Commissioner

intended to take, including “we will look at each case on its own
merits. We'll look at the features and context of each case. And,
this is important, we will focus on area of greatest risk to people

- potential or actual harm... The more serious, high impact,
deliberate, wilful or repeated breaches can expect the most

robust response.”

7.98. There i nothing within these quotations which can be read as giving
rise to a legitimate expectation that the Commissioner would either:

(a) issue fines i accordance with the previous maximum limit which
applied under the DPA 1998 and/or past cases issued under that
Act; or (b) only apply incremental increases to the level of fine that

would have been imposed under the DPA 1998.16 As made clear i
the blog and speech to which Marriott has referred, the

Commissioner had always been clear that she would (in accordance
with her obligations) use her full powers ona case by case basis, to

162 Marriott’s Second Representations, para 1.29(a).
163 Marriott’s Second Representations, para 1.29(b).
164 Marriott’s Second Representations, paras 1.30-1.31.
19 impose effective, proportionate and dissuasive penalties i
appropriate cases, which includes the possibility of large fines.

7.99. Marriott accepted i its Second Representations that the
Commissioner i not constrained by the previous statutory

maximum of £500,000.'© But i practice, its attempt to limit the
Commissioner to only making incremental increases to the fine level
that would have applied under the DPA 1998 amounts to the same

thing. The starting point i the application of Article 83 GDPR, the
DPA 2018 and the RAP. I i not what the decision would have been

under a superseded legal regime.

The alleged lack of legal certainty

7.100. As set out above, the Commissioner recognises that i imposing a

penalty on a controller, she must comply with any relevant
fundamental rights that are engaged, including under the ECHR or

the EU Charter. She does not accept, however, that the penalty
regime applicable under, i particular, Article 83 GDPR lacks
sufficient certainty such that i cannot be lawfully applied. That i i

effect Marriott’s case. I contends that unless the Commissioner
applies a precedents-based approach based on decisions made

under the DPA 1998, i i impossible for the Commissioner to meet
the requirement of legal certainty.1®

7.101. The DPA reflects the directly applicable EU law framework for

determining penalties. The Commissioner does not agree with
Marriott that Article 83 GDPR or section 155 DPA are so unclear that

they are unlawful. Taken together, those provisions specify the
circumstances i which a data protection authority has the power to
impose an administrative penalty, and the matters that are relevant

to that decision and the amount of any penalty. The legislative
regime i supplemented by the RAP, which provides additional
guidance i this regard. Contrary to para 4.60 of Marriott’s First

Representations, the RAP cannot be dismissed as “unclear and open-
ended”.

7.102. Marriott’s submissions on legal certainty are wrong for the following
seven reasons.

165 Marriott’s Second Representations, para 1.30.
166 Marriott’s First Representations, paras 4.50-4.73.
807.103. First, in accordance with section 161 DPA 2018 the RAP was laid

before Parliament for approval, and was duly approved.

7.104. In its Second Representations, Marriott emphasised the fact that
Articles 83(8)-(9) and 70(1)(k) GDPR “directly envisage and expect”

that the high-level principles set out i the legislation will be the
subject of national or supranational guidance.!®” Pursuant to section

160 DPA, the Commissioner i obliged to issue guidance i respect
of how she will determine the amount of penalties to be imposed.
She has done so through the RAP.

7.105. Second, the RAP, which must be read alongside the DPA and, in
particular, Article 83 GDPR, provides sufficient clarity and legal

certainty, as required under the ECHR and EU law. In particular, the
RAP explains that Step 2 intends to “censure” the breach, and this

requires taking into consideration its scale (including the number of
data subjects affected) and the severity of the breach itself, and
expressly refers to the factors set out i the DPA. Examples of

aggravating factors are set out i the RAP to assist with the
interpretation of Step 3, as well as mitigating factors (to be

considered at Step 5). Marriott’s argument appears to be that
because i i possible for the RAP to be more detailed, i must follow
that the RAP i insufficiently detailed to fulfil the requirements of

legal certainty. That i not the case.

7.106. I i not suggested that i i impossible to produce more detailed

quantification guidance.1®* The GDPR i a new regime. Whilst not
necessary for the purposes of legal certainty, more detailed

guidance may well be developed over time as the UK and EU Member
States gain experience in applying i The Commissioner has
committed to updating the guidance available i the future.

However, the fact that there i potential for further development of
the guidance does not mean that the present guidance i so unclear

as to be unlawful. The RAP provides sufficient guidance as to the
circumstances i which penalties, including large penalties, will be
applied.

167 Marriott’s Second Representations, para 1.9.
168 Marriott’s Second Representations, para 1.10.
817.107. Third, i i neither necessary nor possible to produce a specific
quantification framework which tells controllers precisely what level

of fine they may face.

7.108. In para 1.9 of its Second Representations, Marriott claims that the

Commissioner cannot lawfully impose penalties without setting out
a further quantification methodology.'®? This i incorrect. The
guidance available from Article 83 GDPR, the DPA and the RAP,

cannot be rejected as legally uncertain purely on the basis that i
does not attempt to specify exactly what levels of penalty might

attach to wrongdoing.'”°

7.109. I would be impossible for the Commissioner to specify all the types
of situations, and relevant circumstances, i which a penalty may

be imposed under the GDPR. Nor could any guidance permit a
controller to calculate specifically what any fine might be (especially

by reference to a particular fine). The guidance must be general
enough i order to cover a wide range of potential situations, and
respect the general discretion of the Commission (subject to public

law principles). The GDPR also requires the Commissioner to take a
case-by-case approach, guided by the need to ensure that any

penalty i effective, proportionate and dissuasive, and subject to the
prescribed turnover caps.

7.110. Fourth, contrary to Marriott’s submissions,‘7! there i also no flaw i

the Commissioner’s approach because, on the particular facts of this
case, no adjustments needed to be made at certain steps i the
process. The draft decision explained clearly, i particular, that: (a)

the need to ensure the penalty i dissuasive was taken into account
sufficiently under Step 2 such that there was no need for a further

uplift reflecting the need for the penalty sum to deter others under
Step 4;172 and (b) the mitigating factors had been taken into account
under Step 2, so no adjustment was made at Step 5 to avoid

‘double-counting’. The fact that certain steps did not require
adjustments to be made i a particular case particular case does not

render the RAP, which i intended to be of general application,
“deficient” .173

169 Marriott’s Second Representations, para 7.93.
170 Marriott’s Second Representations, paras 1.7-1.10.
171 Marriott’s Second Representations, para 1.34.
172 Marriott’s Second Representations, para 1.34.
173 Marriott’s Second Representations, para 1.10, see also para 1.34.
827.111. In any event, to assist Marriott, the Commissioner has dealt with

the mitigating factors arising i this case under Step 5 of the analysis
(rather than Step 2, see para 7.40 above) so that i can see the

impact of these factors on the overall level of penalty.

7.112. Fifth, as explained at paragraph 7.68 above, the Draft Internal

Procedure was not developed and i not relied upon for the purposes
of meeting the legal certainty requirement, contrary to Marriott’s

submissions during the course of the investigation.1’* While i was
intended to be a helpful supplement to the RAP for internal decision-
making purposes, i has been disregarded for the purposes of this

Notice.

7.113. Sixth, for the reasons given above i respect of Marriott’s legitimate

expectation argument, i i not open to the Commissioner to re-
impose the different, UK-only, legislative cap on fines i the manner

sought by Marriott. The bands which applied under the DPA 1998,
and the decisions made under i cannot be relied upon as a

justification for the Commissioner to fail to comply with EU law.

7.114. Finally, as to the claim made by Marriott that other bodies, namely

the FCA and the EU Commission, apply more rigorous and more
predictable rules, i i noted that each regulator must take

enforcement action within the bounds of its own legal obligations,
and i this case the Commissioner i bound to comply, i particular,
with Article 83 of the GDPR.*7°

Other decisions by the Commissioner / Decisions by other European
authorities

7.115. Marriott submitted i its Representations that the proposed penalty
i inconsistent with previous action by the Commissioner and other

EU supervisory authorities, contrary to the stated aim of GDPR being
to create a harmonised regime. ?’° In its Representations,’”” Marriott

states that the proposed penalty i (a) inconsistent with action taken
by other EU supervisory authorities, (b) contrary to the stated aim

of the GDPR being a harmonised regime; and (c) inconsistent with

174 Marriott’s First Representations, para 4.61 and MarriotRepresentations, para 1.4.
175 The submissiomade at paras 1.20-1.25 of Marriott’s SRepresentations are noted.
1.12-1.19.tt’s First Representaparas 4.69-4.7and Marriott’s SeconRepresentationsparas
177 Marriott’s Second Representations, paras 1.14-1.19.

83 the decision taken by the Commissioner i a different case. Marriott

specifically refers to the following cases:

a. the decision by CNIL to impose a €50 million penalty on Google.
Marriott contended that the infringements i Google’s case

were more serious than those considered i this Notice.

b. the Austrian Data Protection Authority against Osterreichische

Post AG, which was fined €18 million;

c a €2.6 million fine issued by the Bulgarian Commission of
Personal Data Protection to the Bulgarian Revenue Agency i

relation to a cyber-attack which affected over 5 million data
subjects;

d. a fine of €645,000 imposed on Morele.net by the Polish
supervisory authority for a cyber-attack affecting over 2 million

data subjects;

e. a fine of €150,000 impose on Raiffeisen Bank by the Romanian
supervisory authority concerning the misuse of customer data

by employees of the bank;

f the Romanian authority on UniCredit Bank SA. The company

was fined of €130,000 for a breach of Article 25 GDPR due to
the compromise of payment details, when its worldwide
turnover for 2018 was of €18 billion; and

g. the Commissioner’s decision regarding Doorstep Dispensaree
Ltd, dated 20 December 2019.

7.116. The purpose of GDPR i as Marriott contends, to secure a
harmonised regime. However, that harmonisation i achieved

through the application of harmonised rules and standards to the
particular facts of the case at issue. Any cross-border processing
decision must then be subject to the Article 60 process.

7.117. The Commissioner, along with other EU supervisory authorities,
must comply with her obligations under Article 83 and that means

that she i required to impose a penalty which, i her own judgment,
having regard to all the matters listed i Article 83, and on the facts

of the individual case, i effective, proportionate, and dissuasive. In
principle, ‘equivalent’ breaches should attach ‘equivalent’ penalties.

84 But i practice, each case will turn on its own particular facts. Whilst

the Commissioner has considered the limited information available
about the cases to which Marriott has referred, she maintains that
simple comparisons of the penalties imposed i different cases do

not show that the Commissioner has erred i applying Article 83
GDPR, DPA and/or the RAP.

7.118. There i a great degree of variation i the penalties imposed by
supervisory authorities even i the context of the limited fines
imposed to date,?”® which are - i the Commissioner’s view -

indicative of a decision-making process that i fact-specific. I would
be premature and not necessarily helpful to rely heavily at this

juncture on a survey of the action taken by other supervisory
authorities, given the relatively few decisions that have been taken

under the new regime. This i particularly the case where there i
limited public information available about the reasons for the
decisions taken by other authorities.

7.119. In any event, as the Commissioner i acting as lead authority i this
case, the way to ensure consistency i not by comparing the penalty

to a selection of other penalties issued on different facts in the EU.
Rather, the consistency mechanism provided for by Articles 60(4)
and 63 GDPR will allow for all of the supervisory authorities

concerned to cooperate with the Commissioner, make enquiries, and
contribute their views i order to ensure the consistency of the

ultimate penalty sum with penalties that have been ( there are any)
and/or will be applied i similar situations. The Article 60 process i

one of the factors which, as noted in Article 63, contributes to the
consistent application of the GDPR and the Commissioner i entitled
to rely on the process as a contributory factor.

(7) Application of the RAP

7.120. In response to the NOI and/or the draft decision, Marriott submitted
that the Commissioner had acted contrary to the RAP by: (a) failing

to consider separately the appropriate fines for the provisionally
found breaches of Articles 33 and 34 GDPR, from those i relation
to Articles 5(1)(f) and 32 GDPR; (b) failing to adopt the starting

178 Notably the decision of the FrSA, the CNIL, to fine Goog50 million EuroSee also
https://www.enforcementtracker.cowhich suggests there i significant variation i the level of
fines that have been imposed to date, ranging from a few thousand to millions of pounds.

85 point that any penalty of over £1 million i reserved for very

significant cases; and/or (c) failing to correctly apply the factors that
the RAP categorises as determining whether a higher penalty can be
imposed.+79

7.121. As to the first issue, the Commissioner has not included in her final
decision a finding that Marriott breached Article 33 or 34 GDPR.

Thus, this issue no longer arises.

7.122. The second issue i based on a misreading of the RAP. Marriott
misunderstood the discussion of the circumstances i which she may

convene an advisory panel. This point has been addressed above at
paras 7.76-7.77.

7.123. In response to the draft decision, Marriott submitted that the
Commissioner i seeking to “reinterpret” the wording of page 26 of

the RAP i this regard. That i incorrect. The section of the RAP
which addresses specifically the setting of a penalty does not refer
to this concept of “very significant” penalties at all. This language i

used only to describe the types of situations i which the
Commissioner may convene an advisory panel.!®°

7.124. Marriott also submitted that the fact that: “the ICO appears to have
determined that this case is not significant enough to merit
convening the panel, which is entirely inconsistent with the fine

imposed and further demonstrates the arbitrariness of this process.”
181 This submission i unfounded. The Commissioner has discretion

over whether to convene a panel. The reasons why a panel was not
convened i this case was explained i correspondence, i.e. this

decision would be subject to the Article 60 consultation process. In
such circumstances, the panel was unnecessary. I does not imply
that this case lacks significance. For the reasons outlined above, this

case has been found to involve significant breaches of the GDPR.

7.125. The third issue was also based on a misinterpretation or

misapplication of the RAP. Contrary to Marriott’s submissions, ! ®2 the
RAP does not set out at page 27 the only categories of cases i which
i i justifiable for the Commissioner to impose a high penalty. The

179 Marriott’s First Representaparas 4.42-4.49and Marriott’s SecoRepresentationsparas
1.32-1.34.
180 Page 26 of the RAP.
181 Marriott’s Second Representations, para 1.33.
182 Marriott’s Second Representations, para 1.32.
86 examples provided are not to be applied as a list of criteria which

must be met i any case before a penalty exceeding £1 million can
be imposed. They provide a general indication of the circumstances
i which a penalty will be higher. The Commissioner i not therefore

departing from guidance i a manner which has to be justified. This
Penalty Notice explains why the fine set i appropriate.

7.126. The GDPR was enacted i 2016 and came into force two years later.
Data controllers, especially global undertakings of the size of
Marriott, would have been fully aware of the maximum penalties

permitted by GDPR. The reference to the sum of £1 million i the
RAP does no more than describe the circumstances i which the

Commissioner may decide to convene an advisory panel, and page
27 of the RAP cannot be relied upon to confine the Commissioner’s

power to impose penalties i the manner sought by Marriott. The
decision as to whether a penalty should be imposed and at what
level, i order to provide an effective, proportionate and dissuasive

result has to be reached through the application of Article 83(2)
GDPR and section 155 DPA 2018. It i clear from the RAP that the

Commissioner will adopt a case-specific approach, taking into
account all relevant considerations. That i the approach taken i
this case.

(8) Proportionality

7.127. Marriott contends that the proposed penalty set out i the NOI was
disproportionate on its face.18? This argument i not accepted i

respect of the provisional penalty that was proposed i the light of
the information available at that time.

7.128. I i also not accepted that the penalty proposed i the draft decision
was also disproportionate. That proposed penalty took account of
and reflected the submissions made by Marriott i response to the

NOI. Marriott criticised the approach taken i the draft decision on
the basis that the claim that the fine proposed was proportionate

rested inappropriately on a comparison with the level of penalty set
out i the NOI1®*, That was not the approach taken. Section 7 of the
draft decision explained clearly the basis upon which, at that time,

the proposed penalty was proportionate. In any event, this Penalty
Notice explains i clear terms why the level of final penalty imposed

183 Marriott’s First Representations, paras 4.74-4.77 and Second Representations, para 1.8.
184 Marriott’s Second Representations, paras 1.8 and 1.40.
87 i proportionate i the light of the findings reached by the
Commissioner (see paragraphs 7.3-7.57 above).

7.129. The mathematical error made at para 5.43 of the draft decision i

noted.?8° No such error i made at para 7.57 above.

8. HOW THE PENALTY IS TO BE PAID

8.1. The penalty must be paid to the Commissioner’s office by BACS
transfer or cheque.

8.2. The penalty i not kept by the Commissioner but will be paid into

the Consolidated Fund which i the Government’s general bank
account at the Bank of England.

9. ENFORCEMENT POWERS

9.1. The Commissioner will not take action to enforce a penalty unless:

e all or any of the penalty has not been paid;

e all relevant appeals against the penalty notice and any variation
of i have either been decided or withdrawn; and

e the period for appealing against the penalty and any variation

of i has expired.

9.2. In England, Wales and Northern Ireland, the penalty i recoverable
by Order of the County Court or the High Court. In Scotland, the

penalty can be enforced i the same manner as an extract registered
decree arbitral bearing a warrant for execution issued by the sheriff
court of any sheriffdom i Scotland.

185 Marriott’s Second Representations, para 1.41.
88Dated the 30° day of October 2020

Elizabeth Denham
Information Commissioner

Information Commissioner’s Office

Wycliffe House
Water Lane

Wilmslow
Cheshire

SK9 5AF

89 ANNEX 1

RIGHTS OF APPEAL AGAINST DECISIONS OF THE C O M M I S S I O N E R

1. Section 162(1) of the Data Protection Act 2018 gives any
person upon whom a penalty notice has been served a right of
appeal to the First-tier Tribunal (Information Rights) (the

‘Tribunal’) against the notice.

2. I you decide to appeal and i the Tribunal considers:-

a) that the notice against which the appeal i brought i

not in accordance with the law; or

b) to the extent that the notice involved an exercise of
discretion by the Commissioner, that she ought to have

exercised her discretion differently,

the Tribunal will allow the appeal or substitute such other
decision as could have been made by the Commissioner. In

any other case the Tribunal will dismiss the appeal.

3. You may bring an appeal by serving a notice of appeal on the
Tribunal at the following address:

General Regulatory Chamber

HM Courts & Tribunals Service
PO Box 9300

Leicester
LE1 8DJ

a) The notice of appeal should be sent so i i received by

the Tribunal within 28 days of the date of the notice.

b) I your notice of appeal i late the Tribunal will not
admit i unless the Tribunal has extended the time for

complying with this rule.

90The notice of appeal should state:-

a) your name and address/name and address of your

representative (if any);

b) an address where documents may be sent or delivered
to you;

C) the name and address of the Information
Commissioner;

d) details of the decision to which the proceedings relate;

e) the result that you are seeking;

f the grounds on which you rely;

g) you must provide with the notice of appeal a copy of the

penalty notice or variation notice;
h) i you have exceeded the time limit mentioned above

the notice of appeal must include a request for an
extension of time and the reason why the notice of

appeal was not provided i time.

Before deciding whether or not to appeal you may wish to
consult your solicitor or another adviser. At the hearing of an

appeal a party may conduct his case himself or may be
represented by any person whom he may appoint for that

purpose.

The statutory provisions concerning appeals to the First-tier
Tribunal (General Regulatory Chamber) are contained i

sections 162 and 163 of, and Schedule 16 to, the Data
Protection Act 2018, and Tribunal Procedure (First-tier
Tribunal) (General Regulatory Chamber) Rules 2009

(Statutory Instrument 2009 No. 1976 (L.20)).

91