ICO - Monetary Penalty on Marriott International Inc.: Difference between revisions

From GDPRhub
m (changed title)
No edit summary
 
(6 intermediate revisions by 4 users not shown)
Line 1: Line 1:
<blockquote>{{DPAdecisionBOX
{{DPAdecisionBOX


|Jurisdiction=United Kingdom
|Jurisdiction=United Kingdom
Line 50: Line 50:
}}
}}


The Information Commissioner’s Officer (ICO) imposed a fine of GBP 18.4 million on Marriott International Inc (“Marriott”) for failing to ensure appropriate security when processing  its costumers’ personal data, thus violating [[Article 5 GDPR|Article 5(1)(f)]] and [[Article 32 GDPR]]. Investigation began following notification of an attack on Marriott’s IT systems that took place over a period of time that includes May 2018 (when the GDPR came into force) to September 2018 . As a result, the attacker(s) had access to vast amounts of costumers’ personal data: Marriot estimated that they accessed 339 million guest records, with 30.1 million being EEA members’ records and 7 million being associated with the UK.  
The Information Commissioner’s Officer (ICO) imposed a fine of € 20.7 million on Marriott International Inc (“Marriott”) for failing to ensure appropriate security when processing  its costumers’ personal data, thus violating [[Article 5 GDPR|Article 5(1)(f)]] and [[Article 32 GDPR]].
 
Investigations began following notification of an attack on Marriott’s IT systems that took place over a period of time that includes May 2018 (when the GDPR came into force) to September 2018 . As a result, the attacker(s) had access to vast amounts of costumers’ personal data: Marriot estimated that they accessed 339 million guest records, with 30.1 million being EEA members’ records and 7 million being associated with the UK.  


==English Summary==
==English Summary==
Line 57: Line 59:
Starwood Hotels and Resorts Worldwide Inc’s (“Starwood”) IT system were first compromised by unknown attackers in 2014. Marriot subsequently acquired Starwood in 2016, but did not detect this attack at any time between that moment and September 2018. Therefore, between 2014 and 2018, the attackers  had access to Starwood’s systems through use of Remote Access Trojan malware, and kept extracting Starwood databases. Marriott became aware of potential attacks following an alert from a system applied to one of its most confidential databases on September 2018. After that Marriot found malware installed and proof that databases had been extracted over the years, so they promptly notified both the ICO and relevant data subjects of the breach. The ICO found that the attackers had obtained unencrypted personal data of the likes of: passport numbers, identifying information of the costumers such as name, date of birth and gender, plus credit card details in encrypted form.  
Starwood Hotels and Resorts Worldwide Inc’s (“Starwood”) IT system were first compromised by unknown attackers in 2014. Marriot subsequently acquired Starwood in 2016, but did not detect this attack at any time between that moment and September 2018. Therefore, between 2014 and 2018, the attackers  had access to Starwood’s systems through use of Remote Access Trojan malware, and kept extracting Starwood databases. Marriott became aware of potential attacks following an alert from a system applied to one of its most confidential databases on September 2018. After that Marriot found malware installed and proof that databases had been extracted over the years, so they promptly notified both the ICO and relevant data subjects of the breach. The ICO found that the attackers had obtained unencrypted personal data of the likes of: passport numbers, identifying information of the costumers such as name, date of birth and gender, plus credit card details in encrypted form.  


==Dispute==
===Dispute===
 
===Holding===
===Holding===
Although the ICO and the relevant victims were notified promptly of the breach, the ICO found that  there were many failures in placing the technical and organizational measures to safeguard personal data in Marriott’s system as required under Article 5(1)(f) and Article 32 GDPR. Marriott’s shortcomings, as outlined by the ICO, were the following: insufficient monitoring of privileged accounts and their user activity, insufficient monitoring of databases, poor control of critical systems and systems that have access to large amounts of personal data, and the fact that only certain type of sensitive data was encrypted (e.g. credit card numbers) but not all (e.g. many passport numbers). The ICO fined Marriott in line of [[Article 83 GDPR]] but also took into account mitigating factors such as the efforts that Marriott made to inform and help the victims of the breach, the $19 million investment it made on security the following year and the financial impacts of the Covid-19 pandemic, lowering the final amount of the fine from £24 million to £18.4 million.  
Although the ICO and the relevant victims were notified promptly of the breach, the ICO found that  there were many failures in placing the technical and organizational measures to safeguard personal data in Marriott’s system as required under Article 5(1)(f) and Article 32 GDPR. Marriott’s shortcomings, as outlined by the ICO, were the following: insufficient monitoring of privileged accounts and their user activity, insufficient monitoring of databases, poor control of critical systems and systems that have access to large amounts of personal data, and the fact that only certain type of sensitive data was encrypted (e.g. credit card numbers) but not all (e.g. many passport numbers). The ICO fined Marriott in line of [[Article 83 GDPR]] but also took into account mitigating factors such as the efforts that Marriott made to inform and help the victims of the breach, the $19 million investment it made on security the following year and the financial impacts of the Covid-19 pandemic, lowering the final amount of the fine from £24 million to £18.4 million.  
Line 66: Line 69:
==Further Resources==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''
Cf. a comment in french of the decision : https://swissprivacy.law/19/.


==English Machine Translation of the Decision==
==English Machine Translation of the Decision==
Line 71: Line 76:


<pre>
<pre>
            Information Commissioner's Office
          PENALTY NOTICE
Section 155, Data protection Act 2018
        Case ref: COM0804337
      Ma10400 Fernwood Roadl Inc
                Bethesda
              M DUSA0 8 1 7
            30 October 20201 INTRODUCTION              & SUMMARY
1.1.    This  Penalty    Notice  i  given  to  Marriott  International    Inc
        (“Marriott”)  pursuant to section 155 and Schedule        16 of the Data
        Protection Act 2018    (the “DPA”).  I relates to infringements of the
        General  Data  Protection  Regulation  (the “GDPR”),    which  came  to
        the    attention    of  the    Information      Commissioner      (“the
        Commissioner”)      as a result of an attack on Marriott’s IT systems?
        that took  place over  a period  that included  25  May  2018  to 17
        September    2018 (the “Attack”).
1.2.    Insummary,    i 2014 the IT systems of Starwood      Hotels and Resorts
        Worldwide    Inc (“Starwood”)      were  compromised      by an unknown
        attacker  or attackers  (referred  to, for ease  of reference,  as “the
        Attacker”),  utilising an unknown    attack vector. In 2016,    Marriott
        acquired  Starwood.    Marriott did not detect the Attack at any time
        between  acquiring Starwood    and September    2018, including i the
        period after the entry into force of the GDPR      i May 2018.    During
        this latter period, the Attacker continued      to traverse through    the
        Starwood    systems  and  had  gained  access  to the cardholder    data
        environment within the Starwood      network. This access allowed the
        Attacker  to export  the  personal  data  of Starwood    customers    to
        “dmp”  files on the Starwood    systems,    potentially with a view    to
        taking a copy of that data. I was only when        the Attacker triggered
        an alert i relation to a table containing      cardholder  data that the
        Attack was discovered and could be mitigated. The personal data of
        a large number    of individuals was  involved  in the Attack,  including
        cardholder  data,  although  the  Commissioner    has  not  seen  any
        evidence  of  financial  harm    to  individuals.  Following  the  alert,
        Marriott  promptly    informed    affected  data  subjects  and    took
        immediate steps to mitigate the effects of the Attack and to protect
        the interests of data subjects by implementing      remedial measures.
1.3.    Marriott  i    an _ international    hotel  chain,    with  operational
        headquarters    i the USA. The provisions of the DPA and the GDPR
        apply to the processing    of personal    data  by Marriot  by virtue of
1 References i this decision to Marriott’s systems / network / security etc. concern the IT systems
etc. that Marriott acquired from Stai September2016 and retained and continued to use
post-acquisition.        section 207(2)  DPA and Article 3(1) GDPR.      Marriott has confirmed
        that Marriott Hotels Limited i Marriott’s main establishment within
        the EU, as defined i Article 4(16) GDPR.
1.4.    The  data  subjects  affected  by  this  breach  were    customers    of
        Starwood, which was at the relevant time owned          by Marriott, i the
        United  Kingdom,  elsewhere    in the EU, and  in the rest of the world.
1.5.    Marriott was  the controller i respect of the personal        data  of its
        customers    within the meaning    of section  6 DPA  and  Article 4(7)
        GDPR,  as i determined    the purposes    and means    of the processing
        of the personal data. By inter alia collecting, recording, organising,
        structuring and storing the personal data of its customers,        Marriott
        was  processing  that data within the meaning      of section 3(4) DPA
        and Article 4(2) GDPR.
1.6.    Marriott has not admitted liability for breach of the GDPR.      However,
        for the reasons set out i this Penalty Notice, the Commissioner        has
        found that Marriott failed to process personal data i a manner that
        ensured    appropriate    security  of  the  personal  data,  including
        protection against unauthorised      or unlawful processing and against
        accidental loss, destruction or damage,      using appropriate technical
        and  organisational    measures,    as required  by Article  5(1)(f)  and
        Article 32 GDPR.
1.7.    The  Commissioner    has  found  that,  in all the  circumstances,    and
        having  regard,  i particular, to Marriott’s representations      and the
        matters  listed i Article 83(1)    and  (2) GDPR,    the  infringements
        constitute  a  serious  failure  to  comply    with  the  GDPR    and,
        accordingly,  that the imposition    of a penalty    i appropriate.    The
        amount    of the  penalty  that  the  Commissioner      has  decided  to
        impose,  having taken into account a range of mitigating factors set
        out further below and the impact of the Covid-19 pandemic, i £18.4
        million.
1.8.    Pursuant  to Article 56 GDPR,    the Commissioner      i acting  as lead
        supervisory  authority i respect of the cross-border        processing  at
        issue i this case.2.LEGAL      FRAMEWORK
GDPR
2.1.    On  25  May  2018,  the  GDPR    entered    into  force,  replacing  the
        previous EU law data protection regime that applied under Directive
        95/46/EC    (“Data  Protection    Directive”)*?.  The  GDPR    seeks  to
        harmonise    the  protection  of fundamental      rights  i  respect    of
        personal    data  across  EU  Member    States  and,  unlike  the  Data
        Protection Directive, i directly applicable i every Member          State.?
2.2.    The GDPR    was developed    and enacted    i the context of challenges
        to the protection of personal data posed by, i particular:
        a.  the substantial increase i cross-border flows of personal data
              resulting from the functioning    of the internal market;*+ and
        b.  the  rapid  technological    developments    which    have  occurred
              during a period of globalisation.> As Recital (6) explains: “.. The
            scale  of the    collection  and  sharing  of personal    data  has
            increased    significantly.  Technology      allows’  both    private
            companies and public authorities to make        use of personal data
            on an unprecedented scale in order to pursue their activities....”
2.3.    Such  developments      made    i necessary    for “a strong    and  more
        coherent data protection framework in the Union, backed by strong
        enforcement,    given  the importance    of creating the trust that will
        allow the digital economy    to develop across the internal market...”.®
2.4.    Against that background,      the GDPR    imposed    more  stringent duties
        on controllers and significantly increased the penalties that could be
        imposed    for a breach    of the obligations    imposed  on  controllers
        (amongst others).’
2 Directiv95/46/EC of theEuropean Parliamentand of theCouncil of 24October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
3 Recital 3.
4 Recital 5.
§ Recital 7.
7 See, i particular, Recitals 11, 148, 150, and Article 5, Chapter IV and Article 83.        The relevant obligations
2.5.    Chapter 1 GDPR sets out the general provisions. Article 5 of Chapter
        I GDPR sets out the principles relating to the processing of personal
        data. Article 5(1) lists the six basic principles that controllers must
        comply with i processing personal data, including:
            1. Personal data shall be:
            ..(f) processed in a manner that ensures appropriate security
            of  the    personal    data,  including    protection § against
            unauthorised or unlawful processing and against accidental
            loss, destruction  or damage,    using appropriate    technical or
            organisational measures (‘integrity and confidentiality’)
2.6.    Article  5(2)  GDPR    makes    i clear  that  the  “contro/ler  shall be
        responsible  for,  and  be  able  to demonstrate      compliance    with,
        paragraph  1 (‘accountability’)”.
2.7.    Chapter    IV,  Section    1 addresses      the  general  obligations    of
        controllers and processors. Article 24 sets out the responsibility of
        controllers for taking    appropriate  steps to ensure    and  be able to
        demonstrate    that processing    i compatible    with the GDPR.    Articles
        28-29  make    separate    provision  for the  processing    of data  by
        processors, under the instructions of the controller.
2.8.    Chapter IV, Section 2 addresses security of personal data. Article 32
        GDPR  provides:
            1. Taking    into account    the state  of the art, the costs    of
            implementation and the nature, scope, context and purposes
            of processing    as well as the risk of varying likelihood and
            severity for the rights and freedoms      of natural persons,    the
            controller  and  the processor    shall implement    appropriate
            technical and organisational measures        to ensure  a level of
            security  appropriate    to  the  risk,  including  inter  alia  as
            appropriate:
              (a) the pseudonymisation and encryption of personal data;
              (b) the  ability  to  ensure    the  ongoing    confidentiality,
                  integrity,  availability  and    resilience  of  processing
                  systems and services;
              (C)...
              (d)a  process    for  regularly  testing,    assessing    and
                  evaluating    the  effectiveness    of    technical    and                 
                  organisational    measures    for ensuring  the security  of
                  processing.
            2. In assessing the appropriate level of security, account shall
            be  taken  in particular of the risks that are presented        by
            processing,    in  particular  from    accidental  or  unlawful
            destruction,  loss,  alteration,  unauthorised    disclosure  of, or
            access  to, personal  data  transmitted,  stored  or otherwise
            processed.
2.9,    Article 32 GDPR    applies to both controllers and processors.
        Penalties
2.10.  Article 83(1) GDPR    requires supervisory authorities to ensure that
        any  penalty    imposed    i  each  individual  case    i  “effective,
        proportionate and dissuasive".
2.11.  The principle that penalties ought to be effective, proportionate and
        dissuasive i a longstanding      principle of EU law. The Commissioner
        i under an EU law obligation to ensure        that infringements    of the
        GDPR  are penalised i a manner that i effective, proportionate and
        dissuasive.
2.12.  Further,  Recital  148  emphasises,    inter alia,  that  “in  order  to
        strengthen the enforcement of the rules of this Regulation, penalties
        including  administrative    fines  should    be  imposed    for  any
        infringement    of this  Regulation,  in addition    to,  or instead    of
        appropriate    measures    imposed    by  the  supervisory    authority
        pursuant to this Regulation.” I also records that due regard should
        be given to the:
            . nature,  gravity  and  duration  of the  infringement,    the
            intentional character of the infringement,        actions  taken  to
            mitigate the damage suffered, degree of responsibility or any
            relevant previous    infringements,    the manner    in which  the
            infringement    became    known  to the supervisory      authority,
            compliance    with measures    ordered against the controller or
            processor,  adherence    to a code  of conduct    and any    other
            aggravating  or mitigating factor...
2.13.  Recital 150 provides as follows:
            In  order    to  strengthen    and  harmonise    administrative
            penalties    for  infringements    of  this  Regulation,    each
            supervisory    authority  should  have    the  power    to impose         
            administrative    fines.  This  Regulation    should    indicate
          infringements and the upper limit and criteria for setting the
          related administrative fines, which should be determined by
            the competent supervisory authority in each individual case,
            taking into account all relevant circumstances of the specific
          situation, with due regard in particular to the nature, gravity
          and duration of the infringement and of its consequences and
            the measures taken to ensure compliance with the obligations
            under  this  Regulation  and  to  prevent    or  mitigate  the
          consequences    of the  infringement.    Where    administrative
          fines are imposed on an undertaking, an undertaking should
          be  understood    to be  an  undertaking  in accordance    with
          Articles  101  and  102  TFEU  for  those  purposes.  Where
          administrative fines are imposed on persons that are not an
            undertaking, the supervisory authority should take account of
            the general level of income    in the Member    State as well as
            the  economic  situation  of the  person  in considering    the
          appropriate amount    of the fine. The consistency mechanism
          may    also be  used  to promote    a consistent  application  of
          administrative fines. It should be for the Member        States to
          determine    whether  and  to which  extent public authorities
          should  be  subject  to administrative    fines.  Imposing    an
          administrative  fine or giving a warning    does not affect the
          application of other powers    of the supervisory authorities or
          of other penalties under this Regulation.
2.14.  In line with the above, when    deciding whether to impose a fine and
        the  appropriate  amount    of any  such  fine, Article  83(2)  GDPR
        requires the Commissioner to have regard to the following matters:
            (a) the nature,  gravity  and  duration  of the  infringement
              taking into account    the nature scope    or purpose    of the
              processing  concerned    as  well as the    number    of data
              subjects  affected and  the level of damage    suffered by
              them;
            (b) the intentional or negligent character of the infringement;
            (c) any action taken by the controller or processor to mitigate
              the damage    suffered by data subjects;
            (d) the degree of responsibility of the controller or processor,
              taking into account technical and organisational measures
              implemented by them pursuant to Articles 25 and 32;           
             
            (e) any relevant previous infringements by the controller or
                processor;
            (f) the degree of co-operation with the supervisory authority,
                in order  to remedy    the infringement    and  mitigate  the
                possible adverse effects of the infringement;
            (g)the    categories    of  personal    data  affected    by    the
                infringement;
            (h) the manner    in which the infringement became        known    to
                the supervisory authority, including whether, and if so to
                what  extent,  the  controller  or processor    notified  the
                supervisory authority of the infringement;
            (i) where    measures      referred  to  in  Article  58(2)    have
                previously    been    ordered    against  the    controller  or
                processor    concerned    with regard    to the same    subject-
                matter, compliance    with those measures;
            (  adherence    to approved    codes  of conduct    pursuant    to
                Article 40 or approved certification mechanisms pursuant
                to Article 42; and
            (k) any other aggravating      or mitigating factor applicable      to
                the case,    including  financial benefits gained,    or losses
                avoided, directly or indirectly from the infringement. ®
2.15.  Article  83(5)    GDPR    provides    that  infringements    of the    basic
        principles for processing imposed      pursuant to Article 5 GDPR will, i
        accordance    with Article 83(2)    GDPR,    be subject to administrative
        fines of up to €20 million or, i the case of an undertaking,            up to
        4%  of its total worldwide annual turnover of the preceding financial
        year, whichever i higher.
2.16.  Article 83(4)  GDPR    provides, inter alia, that infringements      of the
        obligations  imposed    by Article  32  GDPR    on  the  controller  and
        processer will, i accordance with Article 83(2) GDPR,          be subject to
        administrative    fines  of up to €10    million  or, i the    case  of an
8 See also the Article 29 Data Protection WParty Guidelines on the application and setting of
administrative fines for the purposes of Regulation 2016/679, adopted on 3 October 2017, endorsed
by the European Data ProtectionBoard at its first plensession.These providea high-level
overview of the assessment criteria set out i Article 83(2) GDPR i Section ITI (“the Article 29 WP
Guidelines”.
                                                                                    8        undertaking, up to 2%    of its total worldwide annual turnover of the
        preceding financial year, whichever i higher.
2.17.  Article 83(3) GDPR  addresses the circumstances      i which the same
        or linked processing operations give rise to infringements of several
        provisions of the GDPR.    I provides that “.. the total amount of the
        administrative  fine shall not exceed  the amount    specified for the
        gravest infringement”.
2.18.  Article 83(8)  GDPR  provides that the exercise    by any supervisory
        authority  of its powers    to fine  undertakings    will be subject    to
        procedural  safeguards,    including an effective judicial remedy    and
        due process.
        Cooperation  and  consistency
2.19.  Where,  as here, the processing    i issue i cross-border, Article 56
        GDPR  makes    provision  for the designation    of a lead supervisory
        authority.  In this case,  the Commissioner      i acting  as the  lead
        supervisory authority. Chapter VII GDPR      establishes the regime for
        ensuring cooperation between lead and other concerned supervisory
        authorities, permitting  unified decision-making.?
2.20.  Article 60 GDPR  provides:
            1. The lead supervisory    authority shall cooperate    with the
            other supervisory authorities concerned      in accordance    with
            this Article in an endeavour    to reach  consensus.    The lead
          supervisory    authority  and    the  supervisory    authorities
            concerned shall exchange    all relevant information  with each
            other.
            2. The lead supervisory authority may      request at any time
            other supervisory    authorities concerned    to provide  mutual
            assistance  pursuant    to Article  61  and  may    conduct joint
            operations  pursuant  to Article 62, in particular for carrying
            out investigations  or for monitoring  the implementation    of a
            measure  concerning a controller or processor established in
            another Member State.
            3.  The  lead  supervisory  authority  shall,  without  delay,
            communicate    the relevant information on the matter to the
            other  supervisory  authorities  concerned.  It shall  without
° The relevant provisions enacting this regime must be read subject to, i particular, Articles 7, 70
and 127-128 and 131 of the Withdrawal Agreebetween the EU and United Kingdom.
                                                                                9delay  submit  a draft  decision  to  the  other  supervisory
authorities concerned for their opinion and take due account
of their views.
4. Where any of the other supervisory authorities concerned
within a period of four weeks after having been consulted in
accordance    with paragraph    3 of this Article,  expresses    a
relevant and reasoned objection to the draft decision, the lead
supervisory authority shall, if i does not follow the relevant
and reasoned objection or is of the opinion that the objection
is not  relevant  or  reasoned,  submit  the  matter    to  the
consistency mechanism      referred to in Article 63.
5. Where the lead supervisory authority intends to follow the
relevant and reasoned objection made, i shall submit to the
other  supervisory  authorities  concerned    a revised    draft
decision for their opinion. That revised draft decision shall be
subject to the procedure referred to in paragraph      4 within a
period of two weeks.
6. Where none of the other supervisory authorities concerned
has  objected  to the draft decision    submitted    by the lead
supervisory    authority  within  the  period  referred  to  in
paragraphs  4 and 5, the lead supervisory authority and the
supervisory authorities concerned shall be deemed        to be in
agreement    with that draft decision and shall be bound by i
7. The lead supervisory authority shall adopt and notify the
decision to the main establishment or single establishment of
the controller or processor,    as the case may    be and inform
the other supervisory authorities concerned and the Board of
the decision in question, including a summary      of the relevant
facts and grounds.    The supervisory authority    with which  a
complaint has been lodged shall inform the complainant on
the decision.
8. By  derogation  from  paragraph    7, where  a complaint  is
dismissed or rejected, the supervisory authority with which
the complaint was lodged shall adopt the decision and notify
i to the complainant and shall inform the controller thereof.
9. Where the lead supervisory authority and the supervisory
authorities concerned    agree  to dismiss or reject parts of a
complaint  and  to act on other parts    of that complaint,    a
separate decision shall be adopted for each of those parts of
the matter.  The lead supervisory    authority shall adopt    the
decision  for the part concerning    actions  in relation  to the
                                                                    10          controller, shall notify i to the main establishment or single
          establishment of the controller or processor on the territory
          of its Member State and shall inform the complainant thereof,
            while the supervisory authority of the complainant shall adopt
            the decision for the part concerning dismissal or rejection of
            that complaint,  and shall notify i to that complainant      and
          shall inform the controller or processor thereof.
            10. After being notified of the decision of the lead supervisory
          authority pursuant to paragraphs      7 and 9, the controller or
          processor    shall  take  the  necessary    measures    to ensure
          compliance    with the decision as regards processing activities
          in the context    of all its establishments    in the Union.  The
          controller or processor shall notify the measures        taken  for
          complying with the decision to the lead supervisory authority,
            which  shall  inform  the  other    supervisory    authorities
          concerned.  .
2.21.  Article 60(4)  refers to the  consistency  mechanism,    which  i i
        Section 2 of Chapter VII GDPR.      Article 63 provides that: “In order
        to  contribute  to  the  consistent  application  of this  Regulation
        throughout  the Union,  the supervisory authorities shall cooperate
        with each other and, where relevant, with the Commission,        through
        the consistency mechanism      as set out in this Section.” Article 65
        GDPR  provides, insofar as relevant, that:
          Dispute resolution by the Board
            1. In order to ensure the correct and consistent application of
            this Regulation  in individual cases, the Board shall adopt a
          binding decision in the following cases:
                  (a) where,  in a case    referred  to in Article  60(4),  a
                  supervisory authority concerned has raised a relevant
                  and reasoned objection to a draft decision of the lead
                  authority or the lead authority has rejected such        an
                  objection  as  being  not  relevant  or reasoned.    The
                  binding decision shall concern all the matters which are
                  the subject
          2. The decision referred to in paragraph      1 shall be adopted
            within one month    from the referral of the subject-matter by
          a two-thirds    majority  of the members      of the Board.    That
          period may be extended by a further month on account of the
          complexity of the subject-matter.    The decision referred to in
          paragraph    1 shall be reasoned    and addressed    to the lead
                                                                              11          supervisory    authority  and  all the  supervisory  authorities
            concerned and binding on them.
            3. Where    the Board  has been    unable  to adopt  a decision
            within the periods referred to in paragraph      2, i shall adopt
            its decision within two weeks following the expiration of the
          second month referred to in paragraph 2 by a simple majority
            of the members    of the Board.    Where  the members    of the
            Board are split, the decision shall by adopted by the vote of
            its Chair.
            4, The supervisory authorities concerned shall not adopt a
            decision on the subject matter submitted to the Board under
          paragraph    1 during the periods referred to in paragraphs        2
            and 3.
            5. The Chair of the Board shall notify, without undue      delay,
            the decision  referred to in paragraph      1 to the supervisory
            authorities  concerned.    It shall  inform  the  Commission
            thereof. The decision shall be published on the website of the
            Board  without  delay  after  the  supervisory    authority  has
            notified the final decision referred to in paragraph 6.
            6. The lead supervisory authority or, as the case may be, the
          supervisory    authority  with  which  the complaint    has  been
            lodged  shall adopt    its final decision  on  the  basis  of the
            decision referred to in paragraph      1 of this Article,  without
            undue delay and at the latest by one month        after the Board
            has notified its decision. The lead supervisory authority or, as
            the case may    be, the supervisory authority with which        the
            complaint has been lodged, shall inform the Board of the date
            when its final decision is notified respectively to the controller
            or the processor and to the data subject. The final decision of
            the supervisory authorities concerned shall be adopted under
            the terms of Article 60(7), (8) and (9). The final decision shall
            refer to the decision referred to in paragraph    1 of this Article
            and  shall  specify  that  the  decision  referred  to in  that
          paragraph    will be published on the website of the Board in
            accordance with paragraph 5 of this Article. The final decision
          shall attach  the decision referred to in paragraph      1 of this
          Article.
DPA
        The Commissioner
2.23.  Section  115  DPA  establishes  that  the  Commissioner    i the  UK’s
        supervisory authority for the purposes of the GDPR. Section 115 DPA
                                                                                12        provides, inter alia, that the Commissioner’s    powers  under Articles
        58(2)(i)  (the power  to impose  administrative  fines) and 83 GDPR
        are exercisable  only by giving a penalty    notice under section    155
        DPA.
        Penalties
2.24.  Section  155(1)  DPA  provides that, i the Commissioner      i satisfied
        that a person  has failed or i failing as described    i section 149(2)
        DPA, the Commissioner      may, by written notice (a “penalty notice”),
        require the person to pay to the Commissioner an amount i sterling
        specified i the notice.
2.25.  Section  149(2)  DPA  provides:
            (1) The first type of failure is where a controller or processor
            has failed, or is failing, to comply with any of the following -
            (a)  a provision of Chapter II of the GDPR      or Chapter 2 of
                  Part 3 or Chapter 2 of Part 4 of this Act (principles of
                  processing);
            (b)  .
            (c)  a provision of Articles 25 to 39 of the GDPR      or section
                  64  or 65 of this Act (obligations      of controllers  and
                  processors)...
2.26.  Section  155 DPA    sets out the matters to which    the Commissioner
        must have regard when      deciding whether to issue a penalty notice
        and when  determining the amount      of the penalty.
2.27.  Section 155(2)  DPA  provides that, subject to subsection    (4), when
        deciding  whether    to  give  a penalty    notice  to  a person    and
        determining  the amount    of the penalty,  the Commissioner      must
        have regard to the matters listed i Article 83(1) and (2) GDPR.
2.28.  Schedule    16  includes  provisions  relevant  to the  imposition    of
        penalties. Paragraph  2 makes    provision for the issuing of notices of
        intent to impose a penalty, as follows:
            (1) Before giving a person a penalty notice, the Commissioner
            must,  by  written  notice  (a “notice  of intent”)  inform  the
          person    that  the  Commissioner    intends  to give  a penalty
            notice.
                                                                                13            (2) The  Commissioner    may  not give  a penalty  notice to a
          person  in reliance on a notice of intent after the end of the
          period of 6 months      beginning  when  the notice of intent is
          given, subject to sub-paragraph      (3).
            (3) The period for giving a penalty notice to a person may be
            extended by agreement between        the Commissioner and the
          person.
2.29.  Paragraph  5 sets out the required contents of a penalty notice, i
        accordance with which this Penalty Notice has been prepared.
        Guidance
2.30.  Section 160 DPA requires the Commissioner to produce and publish
        guidance  about  how  she  intends  to exercise  her functions.  With
        respect to penalty notices, such guidance i required to include:
            (a) provision    about    the  circumstances    in  which    the
            Commissioner would consider i appropriate to issue a penalty
            notice;
            (b) provision    about    the  circumstances    in  which    the
            Commissioner would consider i appropriate to allow a person
            to make    oral  representations    about  the  Commissioner's
            intention to give the person a penalty notice;
            (c) provision    explaining    how    the  Commissioner —    will
            determine the amount of penalties;
            (d) provision  about  how  the Commissioner      will determine
            how  to proceed if a person    does not comply    with a penalty
            notice.
2.31.  Pursuant  to section  161  DPA,  the Commissioner's      first guidance
        documents    issued  under  section  160(1)  DPA  had to be consulted
        upon  and  laid before  Parliament  by the  Secretary  of State    i
        accordance with the procedure set out i that section. Thereafter, i
        issuing  any  altered  or replacement    guidance,  the Commissioner
        required to consult the Secretary of State and such other persons
        as she considers appropriate. The Commissioner        must also arrange
        for such guidance to be laid before Parliament.
                                                                                14The Commissioner’s        Regulatory Action      Policy
2.32.  On 4 May    2018,  the Commissioner      opened  a consultation  process
        on  how  the  Commissioner    planned    to discharge  her  regulatory
        powers  under the DPA. The consultation      attracted  responses  from
        across  civil society,  commentators,      and  industry  (including  the
        finance and insurance, online technology and telecoms, and charity
        sectors). The consultation ended on 28 June 2018. Having taken all
        the views received during the consultation process into account, the
        Regulatory Action Policy (the “RAP”) was submitted to the Secretary
        of State and laid before Parliament for approval.
2.33.  Pursuant  to section  160(1)  DPA,  the Commissioner      published  her
        RAP  on  7 November    2018.  Under  the  hearing  “Aims”,  the  RAP
        explains that i seeks to:
          e  “Set out the nature of the Commissioner’s        various powers    in
            one place and to be clear and consistent about when        and how
            we use them”;
          e  “Ensure that we take fair, proportionate and timely regulatory
            action with a view to guaranteeing that individuals’ information
            rights are properly protected”;
          e  “Guide  the Commissioner    and our staff in ensuring    that any
            regulatory action is targeted, proportionate and effective...”°
2.34.  The objectives of regulatory action are set out at page 6 of the RAP,
        including:
          e  “To respond swiftly and effectively to breaches        of legislation
            which fall within the ICO’s remit, focussing on [inter alia] those
            adversely affecting large groups of individuals”.
          e “To be effective, proportionate, dissuasive and consistent in our
            application of sanctions”, targeting action taken pursuant to the
            Commissioner’s      most.  significant  powers    on,  inter  alia,
            “organisations and individuals suspected of repeated or wilful
            misconduct or serious failures to take proper steps to protect
            personal data”.
1 RAP, page 5
                                                                                152.35.  The  RAP  explains  that the  Commissioner    will adopt  a selective
        approach to regulatory action.‘ When      deciding whether and how to
        respond  to  breaches    of information    rights  obligations  she  will
        consider criteria which include the following:
          e  “the nature and seriousness of the breach or potential breach”;
          e  “where    relevant,  the  categories  of personal    data  affected
            (including whether any special categories of personal data are
            involved) and the level of any privacy intrusion”;
          e  “the number of individuals affected, the extent of any exposure
            to physical, financial or psychological harm, and, where i is an
            issue, the degree of intrusion into their privacy”;
          e  “whether the issue raises new or repeated issues, or concerns
            that technological    security measures    are not protecting    the
            personal data”;
          e  “the cost of measures to mitigate any risk, issue or harm”;
          e  “the  public  interest  in regulatory    action  being  taken  (for
            example,    to provide    an  effective  deterrent  against  future
            breaches or clarify or test an issue in dispute)”.++
2.36.  The  RAP  explains  that, as a general  principle, “more  serious,  high-
        impact,  intentional,  wilful, neglectful  or repeated    breaches  can
        expect stronger regulatory action”.13
2.37.  Pages  24-25  of the RAP    identify the circumstances    i which    the
        issuing of a Penalty Notice will be appropriate.      They explain, inter
        alia, that i “  considering the degree of harm      or damage    we may
        consider that, where there is a lower level of impact across a large
        number  of individuals, the totality of that damage    or harm may be
        substantial, and may require a sanction.” The    RAP stresses that each
        case will be assessed    objectively  on its own    merits.  However,    i
        explains  that,  i accordance    with the Commissioner’s      risk-based
        approach,  a penalty i more    likely to be imposed  in, inter alia, the
        following  situations:
1 RAP, pages 6-7 and 10.
1 RAP, pages 10-11.
1 RAP, page 12.
                                                                                16          e  “a number  of individuals have been    affected”;
          e  “there  has  been  a degree  of damage    or harm    (which  may
            include distress and/or embarrassment)”;      and
          e  “there  has  been  a failure  to apply  reasonable    measures
            (including relating to privacy by design) to mitigate any breach
            (or the possibility of it)”.
2.38.  The process the Commissioner will follow i deciding the appropriate
        amount    of penalty  to be  imposed    i described    from  page  27
        onwards.  In particular,  the  RAP  sets out the following    five-step
        process:
        a.  Step  1. An ‘initial element’  removing  any financial gain from
            the breach.
        b.  Step 2. Adding    i an element to censure the breach      based on
            its scale and  severity, taking  into account  the considerations
            identified at section 155(2)-(4) DPA.
        c    Step 3. Adding i an element to reflect any aggravating factors.
            A list of aggravating factors which the Commissioner would take
            into account, where relevant, i provided at page 11 of the RAP.
            This list i intended  to be indicative, not exhaustive.
        d.  Step 4. Adding    i an amount for deterrent effect to others.
        e.  Step 5. Reducing the amount      (save that i the initial element)
            to  reflect any  mitigating  factors,  including  ability to  pay
            (financial  hardship).  A list of mitigating    factors  which  the
            Commissioner    would  take  into  account,  where  relevant,  i
            provided  at page 11-12    of the RAP. This list i intended to be
            indicative, not exhaustive.
3. CIRCUMSTANCES              OF THE FAILURE:            FACTS
Marriott’s acquisition of the Starwood          network
3.1.  Marriot  acquired    Starwood    i  September    2016.    During  the
      acquisition  process,  Starwood  shareholders    received  0.8 shares of
      Marriott,  as well  as $21    per Starwood    common    stock.  After the
      acquisition, the Marriott and Starwood    computer systems were kept
                                                                              17      separate,  and  they  remained    separate  throughout    the  relevant
      period.  Marriott  did, however,    plan  on integrating  aspects  of the
      Starwood    network    into the  Marriott  network  over  an  18-month
      period i order to create a single, unified network within Marriott’s
      security footprint.
3.2.  Upon    acquisition,  but  prior  to  decommissioning      the  Starwood
      network, Marriott made    enhancements    to the security of Starwood’s
      existing IT network.
3.3.  During the acquisition process, Marriott states that i was only able
      to carry out limited due diligence on the Starwood        data processing
      systems    and  databases.'*    For the  avoidance  of any    doubt,  the
      Commissioner    i not making    any finding  of infringement  in respect
      of the period    between  Marriott’s acquisition  of Starwood    and  the
      entry  into force  of the GDPR    on 25  May  2018.  Accordingly,  the
      Commissioner    has not determined whether or not i was possible for
      Marriott to conduct due diligence during a takeover. There        may  be
      circumstances    i which in-depth due diligence of a competitor i not
      possible during a takeover.
3.4.  This Penalty  Notice concerns    the extent to which,    after the GDPR
      came  into effect on 25 May 2018, Marriott adequately prepared the
      Starwood    systems    to protect  personal  data.  In particular,  i i
      necessary to assess whether the Attack disclosed a failure to ensure
      compliance with Articles 5.1(f) and 32 of the GDPR following its entry
      into force.
The planned integration of the Starwood              and Marriott networks
3.5.  The  integration  of Starwood    into the Marriott  hotels group  began
      following the acquisition. While this involved the transferring of data
      from  the Starwood    systems  to the  Marriott  network,  the  systems
      accessed    by the Attacker    remained  segregated    from  the Marriott
      network.
3.6.  As a result, the Attack did not involve access to the wider Marriott
      network  and the Attacker would      not have    had access  to personal
      data  that  was  processed    only  on  non-Starwood    systems.    The
      planned    migration    and  the  decommissioning      of the  Starwood
1 See, for example, the representations served by Marriott i response to the Commissioner’s Notice
of Intent (“Marriott's First Representatiopara 1.33.
                                                                                18      systems was expedited by Marriott after discovery of the Attack and
      the  decommissioning      of  the  relevant  Starwood    systems    was
      completed    on 11 December    2018.
The  Attack
3.7.    What follows i a summary      of the key stages of the Attack.
        Pre-acquisition infiltration of the Starwood    IT systems
3.8.    The Attacker installed a web shell on a device within the Starwood
        network  on 29 July 2014.      This  device  was  used  to support    an
        Accolade    software  application.  That  application  was    used  by
        Starwood  to allow employees    to request changes to any content of
        Starwood's website.
3.9.    The installation of a web    shell on the server gave the Attacker the
        ability to remotely    access  the system,    therefore  allowing  for the
        accessing  and  editing of the contents    of that system.  This access
        was exploited i order to install Remote Access Trojans (“RATS”)          -
        malware which    enables remote administrator control of the system.
        Administrator  access  allows a user to perform    actions above    that
        permitted  by a normal    user. As a result, the Attacker would      have
        had  unrestricted  access  to the  relevant  device,  and  any  other
        devices on the network to which that administrator account would
        have had access.
3.10.  On  an  undetermined    date,  the  Attacker  installed  and  executed
        “Mimikatz”.  This  i  a post-exploitation    tool  which  allows  login
        credentials  temporarily    stored  i  the  system    memory      to  be
        harvested.    I  scanned    the  server  for  all the  usernames    and
        passwords    stored  i this manner      i the system    and  allowed  the
        Attacker  to continue  to compromise      user  accounts,  which  were
        secured  using a mixture of single and multi-factor authentication.‘
        These  accounts were then used to perform        further reconnaissance
        and,  ultimately,  to run  commands      on  the  Starwood    reservation
        database,  as described  below.
3.11.  On  15 April 2015,    a file named    “Reservation _Room_sharer.dmp”
        was created on a Starwood      device. This file could have been created
1 Marriott’s First Representations, para 1.40 and page 63.
                                                                                19        by the Attacker with a view to exfiltrating all the data contained      i
        the table at once.®
3.12.  On 21 April 2015, a file named    “Consumption_Roomtype.dmp”        was
        created. This file could  have  been  created  by the Attacker with a
        view to exfiltrating all the data contained  i this table at once.!”
3.13.  On 17 May 2016, a file named “reservation_Room_Sharer.dmp” was
        created. This file could  have  been  created  by the Attacker with a
        view to exfiltrating all the data contained  i this table at once.*®
3.14.  Following Marriott’s acquisition of Starwood,    on 31 December    2016
        or 1 January 2017,1° additional malware which searched devices for
        payment    card  data,  known  as “memory-scraping      malware”,  was
        installed on multiple Starwood Devices. Marriott believes, but cannot
        be certain, that this action was carried out by a different attacker to
        the one  responsible  for the actions  described  immediately  above.
        The memory-scraping      malware    was  executed  on 10 January    2017
        on eight property management        systems,  but the malware    was not
        successful i collecting payment    card data from any of the devices.
        The eight properties  involved were  not in the European    Union.
        Continued  Attack, post-acquisition and following the GDPR        coming
        into force
3.15.  On  7 September    2018,  the Attacker  performed  a “count”  on the
        “Guest_Master_profile”    table, which  would  have told the Attacker
        how many    rows the table contained.
3.16.  This count triggered an alert on the Guardium      system placed on the
        database  (“the  Guardium      Alert”).  Such  alerts were  applied  to
        tables which included card details.2°      The other tables mentioned
        above  did  not  contain  payment    card  information  and  were  not
        protected by Guardium    software. Thus, no alarm could be triggered
        by the actions of the Attacker.
1 Marriott’s First Representations, page 63.
1 Marriott’s First Representations, page 63.
1 Marriott’s First Representations, page 63.
1 Marriott has also provided the alternative date of 1 January 2017 for this installation (see Marriott’s
Second Representations, page 37).
2 “Guardium” i a data protection software produced by IBM.
                                                                                203.17.  The Attacker also exported the “Guest_Master_profile” table into a
        “dmp” file (as had previously occurred i relation to the other tables
        referred to above).
        Discovery and reporting of the breach
3.18.  On  8 September      2018,  Accenture,  the  company    managing    the
        Starwood    Guest  Reservation  Base,  contacted  Marriott’s  IT team
        regarding the Guardium    alert of the previous day. This was the first
        Guardium    alert relating  to the Attack    that Marriott  had  received
        since its acquisition of Starwood.
3.19.  On  10 September    2018, the “PP_Master”      table was exported    to a
        “dmp” file on the Starwood      system.
3.20.  Following  the  Guardium    alert, on  9/10  September    2018,  Marriott
        instigated  its Information  Security and  Privacy Incident    Response
        Plan. On  12 September    2018,  Marriott began  to deploy  real-time
        monitoring  and forensic tools on 70,000      legacy Starwood    devices.
        The purpose    of this measure  was to monitor the local system      and
        identify  potentially  malicious  activity i  real-time,  with  findings
        reported back to Marriott’s central monitoring server.
3.21.  On 15/16 September      2018, Marriott identified further unauthorised
        activity from  7 July  2018,  specifically  the  use  of credentials  of
        Accenture employees.
3.22.  On  17 September      2018,  the  presence  of a RAT    was  identified.
        Marriott took action to contain the RAT, by blocking the command-
        and-control IP addresses used by the RAT.
3.23.  In early to mid-October    2018, the Attacker’s use of Mimikatz      ona
        number of occasions since 2014 was identified, as was the memory-
        scraping  malware,    referred  to i paragraph    3.14.  On  29 October
        2018,  Marriott  contacted    the  United  States  Federal  Bureau  of
        Investigation.
3.24.  On 13 November      2018, two compressed,      encrypted  and previously
        deleted    files  were    identified.  These    files  were    named
        “guest_master_profile”    and “pp_master”.    On  19 November      2018,
        the aforementioned files were decrypted, and i was found that they
        respectively contained    an export of the Guest_Master_Profile      table
        and the PP_Master table.
                                                                                213.25.  On  22 November      2018,  Marriott  notified the Commissioner      of a
        personal data breach.
3.26.  On  25  November    2018,  Marriott  discovered  that  a file  named
        “Reservation_room_sharer.dmp”        had  been  created  on a Starwood
        device,  and on 26 November      2018,  Marriott identified a second  file
        named  “Reservation_room_sharer.dmp” which had been created on
        a  Starwood    device,    and _ established    that  a  file  mamed
        “consumption_roomtype.dmp”        had also been created.
3.27.  On 30 November      2018, Marriott provided    a follow-up report to the
        Commissioner    regarding  further  personal  data  breaches.  On  the
        same  day,  Marriott  issued  a press  release  about  the Attack  and
        established  a dedicated  Starwood    incident website.  Marriott  also
        began  sending  email  notifications to affected  data subjects on 30
        November    2018.  In the initial email  notification to data subjects,
        Marriott informed them that a dedicated call centre had been set up
        i order to receive complaints. The email notification did not provide
        the telephone  number    for the call centre, however    i did contain a
        link to the dedicated website, which included the telephone number
        of  the  call  centre.  Following  telephone    contact  between    the
        Commissioner’s    office and  Marriott,  the  email  was  updated  to
        include the telephone    number  for the call centre, and Marriott sent
        the revised version on 9 December      2018.2!
4.PERSONAL          DATA    INVOLVED        IN THE FAILURE
4.1.    The  Attacker  appears    to have  obtained    personal  data  i  both
        encrypted  and  unencrypted    forms.  The  unencrypted    information
        included:
        a.  On the “Guest_Master_Profile_table” file: a numerical identifier
            to identify  the  guest,  guest  name,    gender,  date  of birth,
            whether  the guest has been    identified as a VIP, whether    the
            guest i a member of the Starwood      loyalty programme    and their
            account information (“SPG”), mailing address, passport country
            code,  phone  number,  fax  number,    email  address,  and  credit
            card expiration date.
2 Marriott First Representations, page 65.
                                                                                22            On the “reservation_room_sharer_table”:        a central reservation
            confirmation number, a unique numerical room identifier, guest
            name,  SPG  account  information,  whether  the guest has been
            identified  as  a VIP,    a  separate    VIP  code,  5.25  million
            unencrypted    guest passport numbers      (935,000    of which were
            passports associated with EEA member        state records), country
            of guest’s  passport,  arrival  time,  departure    date,  address,
            phone  and fax numbers,    email address,  whether  the guest has
            checked    in, flight  number    and  airline  code,  and  the  total
            number    of guests i the room.
            On    the    “consumption_room_type_table”:          a  reservation
            confirmation  number,    the Guest    Master  profile ID, a unique
            numerical  room  identifier, room  type, number    of child guests,
            number    of adult guests,    number  of cribs used    i the room,
            number of rollaway beds designed for adults and the number of
            rollaway beds designed for children, guest arrival date;
            On the “PP_master_table”:      the passport number record specific
            decryption    key.  Marriott  considers  that  this would    not  be
            sufficient  to  decrypt  the  passport    numbers    as  a master
            encryption  key i also required, and does not appear to have
            been obtained by the attackers.
4.2.    The encrypted    information was as follows:
        a.  18.5 million encrypted    passport  numbers,  4,290,000    of which
            were associated with EEA member        state records.
            9.1  million  encrypted  payment    cards,  873,000    of which  are
            associated with EEA member      state records.2?
4.3.    Marriott’s estimate i that 339 million guest records were affected.
        Of these,  30.1  million were  EEA  records,** of which    7 million are
        associated  with the United    Kingdom.    All data  subjects  who  were
        affected pre-GDPR were also affected by the actions of the Attacker
        post-GDPR,    as the  entire  contents  of the  affected  tables  were
        exported    to “dmp”    files  on  the  Starwood    system    each  time.
2 Marriott’s First Representations, page 65.
2 Marriott’s First Representations, page 65.
2 Marriott’s First Representations, page 65.
                                                                                23        However,    the  specific  personal  data  involved  differed  between
        individual data subjects.
5. PROCEDURE
5.1.  This section summarises      the procedural steps the Commission      has
        taken. The Annex    to this Penalty Notice provides a more      detailed
        chronology.
5.2.    Marriott notified the Commissioner    of the Attack on 22 November
        2018.  In response,  the Commissioner    commenced    an investigation
        into the incident. That investigation included various exchanges with
        Marriott and considering detailed submissions and evidence.
5.3.    On 5 July 2019, the Commissioner      issued Marriott with a Notice of
        Intent to impose    a penalty,  pursuant  to section  155(1)  DPA  and
        Schedule  16 of the DPA    (the “NOI”).    The  proposed  penalty was
        £99,200,396.00.
5.4.    Marriott made  written representations  in response  to the NOI on 23
        August  2019,  which  are referred  to i this Notice as “Marriott’s
        First Representations”.    Marriott did not request an opportunity to
        make  oral submissions.
5.5.    Between  August and October 2019, Marriott and the Commissioner
        exchanged  correspondence    about a number    of issues, including (a)
        the  application  of the  Commissioner’s    Draft  Internal  Procedure,
        which  i  discussed    further  below;  (b)  the  application  and/or
        operation  of the Article  60  GDPR    consultation  process;  and  (c)
        Marriott’s request for further opportunities to make    submissions    or
        representations prior to and during the Article 60 process.
5.6.    In a letter dated 6 December    2019, the Commissioner:
        a.  confirmed that she no longer intended to exercise her discretion
            to convene the Panel;
        b.  confirmed that the Draft Internal Procedure would not be taken
            into account  in setting any penalty imposed    on Marriott, having
            considered  the detailed representations    Marriott had made    on
            this issue i its First Representations. The letter confirmed that
            the Commissioner would continue to apply the EU and domestic
                                                                              24            legislative framework i conjunction with the Regulatory Action
            Policy;
        c    outlined  how  the  Article  60  consultation    process  would  be
            conducted    i this case; and
        d.  agreed    to  give  Marriot  the  opportunity    to  make _ further
            representations on the Commissioner’s draft decision i Marriott
            agreed  to extend    the six-month    period  for the issuing    of a
            penalty notice prescribed i paragraph        2 of Schedule    16 of the
            DPA. The Commissioner        proposed  a new deadline of 31 March
            2020.
5.7.    The  Commissioner’s    position  on  these  issues  was  informed,    i
        particular,    by    careful    consideration      of    Marriott’s    First
        Representations.        Given    the  length    and    detail  of  those
        representations    and  the  overall  complexity    of the  case,  that
        consideration  took time and    considerable  resources.  That  process
        also resulted in changes    and clarifications to the form and content
        of the draft decision.
5.8.    The Commissioner      was also especially mindful of the fact that she
        acted as lead supervisory authority pursuant to Article 60 GDPR            i
        this case, and that i was therefore important that her investigation
        and  decision  be as comprehensive        as possible,    since  the  draft
        decision  must    be  submitted    for  the  consideration    of  other
        supervisory authorities pursuant to Article 60(3).
5.9.    Although  not required  by law, the Commissioner      considered  that a
        further  opportunity    for  Marriott  to  make    representations    was
        appropriate,  provided    that  an  agreement    could  be  reached    on
        extending  the statutory timetable    having  regard,  i particular, to:
        (  the complexity    of the case, (ii) Marriott’s representations,      and
        (iii) the fact that this i one of the first major decisions made      under
        the new EU data protection regime.
5.10.  Following    further  correspondence,      Marriott  confirmed    on  17
        December    2019  its agreement  to a statutory extension  of time to 31
        March  2020.  On  20 December      2019,  the Commissioner      provided
        Marriott with a draft decision, and    invited i to make    further written
        representations and to provide any other relevant evidence i wished
        the Commissioner    to take into account.
                                                                                  255.11.  On  31 January    2020,  Marriott  provided  further  detailed  written
        representations  on the Commissioner’s    draft decision (“Marriott’s
        Second  Representations”).
5.12.  On  12  February  2020,    the  Commissioner      wrote  to  Marriott
        requesting further information and documents which arose from her
        consideration of the Second    Representations.
5.13.  In  the  light  of  the  length  and  complexity    of  the  Second
        Representations,  on 13 February 2020 the parties agreed a further
        statutory extension  of time until 1 June 2020.
5.14.  Between  28 February 2020 and 28 April 2020, Marriott provided the
        Commissioner    with  the  information  she  had  requested    on  12
        February 2020.
5.15.  On 3 April 2020 the Commissioner      invited Marriott to make  further
        representations specifically i respect of the financial impact on its
        business  caused  by the Covid-19    pandemic.    Marriott  provided  a
        response  to this request on 17 April 2020.
5.16.  Due to the impact of the Covid-19      pandemic,  on 17 April 2020 the
        parties agreed  a further statutory extension of time for the issuing
        of a penalty notice to 30 September    2020.
6. CIRCUMSTANCES              OF THE FAILURE:            BREACHES
Marriott’s failures
6.1.    The Commissioner’s conclusion i that between        25 May 2018, when
        the GDPR  entered  into force, and 17 September    2018, Marriott failed
        to comply  with its obligations under Article 5(1)(f) and Article 32
        GDPR.  Marriott failed to process    personal  data  i a manner    that
        ensured  appropriate    security  of  the  personal    data,  including
        protection against unauthorised    or unlawful processing and against
        accidental loss, destruction or damage,    using appropriate technical
        and  organisational  measures    as required    by Article  5(1)(f)  and
        Article 32 GDPR.
6.2.    This section describes the specific failures to comply with the GDPR
        that the Commissioner    has found  and  responds  to Marriott’s First
        and Second    Representations  on the Commissioner’s      NOI and draft
        decision.
                                                                              26        The  relevant standard
6.3.    As set out above, Article 5 GDPR      requires that personal data shall
        be processed    in a manner    that ensures appropriate security of the
        personal data, including protection against unauthorised or unlawful
        processing and against accidental loss, destruction or damage,        using
        appropriate    technical    or  organisational    measures.    The  data
        controller, in this case Marriott, i responsible for, and must      be able
        to demonstrate compliance with, that requirement.
6.4.    Article 32 GDPR    concerns the security of processing      personal data
        and,  taking  into  account  the  state  of the    art,  the  costs  of
        implementation    and  the nature,    scope,  context  and  purposes  of
        processing as well as the risk of varying      likelihood and severity for
        the rights and freedoms    of natural persons, requires a controller to
        implement    appropriate    technical  and  organisational  measures    to
        ensure  a level of security  appropriate  to the risk. Such  measures
        may include encryption of personal data and a process for regularly
        testing, assessing and evaluating the effectiveness of such technical
        and organisational measures.2°
6.5.    Not every instance of unauthorised      processing or breach of security
        will necessarily amount    to a breach  of Article 5 or Article 32. The
        obligation under Article 5 GDPR      i to ensure appropriate    security;
        the obligation under Article 32 i to implement appropriate technical
        and  organisational  measures    to ensure    an  appropriate  level  of
        security,  taking  account  of the  state  of the  art, the  costs  of
        implementation    and  the nature,    scope,  context  and  purposes  of
        processing, as well as the risk to the rights of data subjects.
6.6.    When  considering whether there has been a breach of the GDPR and
        whether  to impose    a penalty,  the Commissioner      must  therefore
        avoid  reasoning  purely  with  the  benefit  of hindsight.  The  focus
        should  be on the adequacy      and  appropriateness    of the measures
        implemented    by the data controller, the risks that were      known  or
        could reasonably have been identified or foreseen, and appropriate
        measures    falling within Article 5 and/or Article 32 GDPR      that were
        not, but could and should have been, i place.
2 See also Recitals 76, 77 and 83 GDPR.
                                                                                  2/6.7.    Having  carefully  examined    the  available  evidence,    including  the
        evidence    and    submissions      from    Marriott    and    Marriott’s
        Representations,    the  Commissioner      i satisfied  that  there  were
        multiple failures by Marriott to put i place appropriate technical or
        organisational    measures    to  protect  the  personal  data  being
        processed on Marriott’s systems, as required by the GDPR
6.8.    The NOI and draft decision identified a number of failures by Marriott
        to put i    place  appropriate  security  measures.    Following  careful
        consideration of the detailed representations received from Marriott,
        four principal failures by Marriott are now the subject of this Penalty
        Notice, which  are outlined  below.
        Preliminary issue: revised scope of the findings made
6.9.    In the NOI  and  the draft decision,  concerns  were  raised in relation
        to the gaps which the Attack identified i the application of multi-
        factor  authentication    (“MFA”)    within    the  relevant  Starwood
        network. The Attacker was able to access the Starwood          Cardholder
        Data  Environment    (“CDE”)    because  MFA  was  not applied  to a
        accounts and systems with access to the CDE.
6.10.  Marriott has explained that:
        a.  i believed that MFA was i place across the CDE because i had
            received  assurances    from  Starwood’s    management      to this
            effect;2° and
        b.  this belief was    corroborated  by two    Reports  on Compliance
            (“ROCs”),    issued  by independent    PCI DSS?’  assessors  on 29
            April  2016    (pre-acquisition)    and  23    May    2017    (post-
            acquisition),  which  stated  that MFA  was  i place for anyone
            requiring access into the segmented      CDE  and was enabled    on
            the jump-server v    ia                          2° Marriott placed
            particular reliance i its representations on 23 May 2017 report.
6.11.  Having considered, i particular,    Marriott’s Second  Representations
        i response    to the draft decision,*? the Commissioner        i satisfied
        that  Marriott  did  not breach    its obligations  under  the GDPR    by
2 Marriott’s First Representations, para 1.40(a).
2 Payment Card Industry Data Security Standard (“PCI DSS”).
2 Marriott’s First Representations, para 1.40(b).
2 Marriott’s Second Representations, paras 3.2 - 3.7 and 3.20-3.24.
                                                                                28      relying upon the ROCs  (in particular, the ROC issued i May 2017)
      issued by the PCI DSS assessors to conclude that access to the CDE
      was  protected  by  MFA  (albeit  erroneously).  The  incomplete
      implementation  of MFA  i not therefore the subject of this Penalty
      Notice (and consequently  was  not taken  into account i assessing
      the appropriate penalty).
      The four principal failures
6.12.  Taking  into account  the representations  made  by Marriott,*° the
      following four principal failures are the subject of this Penalty Notice.
      (1)  Insufficient Monitoring of Privileged Accounts
6.13.  As explained  above, the Attacker was able to obtain access to the
      CDE  by exploiting an unknown  gap  i the scope  of application of
      MFA.  This failure to secure the ‘outer ring’ of the CDE  i not the
      subject of this Penalty Notice. Instead, i i of concern that once the
      Attacker  gained  access  to the  CDE,  appropriate  and  adequate
      measures  were  not i place to allow for the identification  of the
      breach  and  to prevent  further unauthorised  activity (including
      further unauthorised  processing  of personal  data). This  concern
      arises first i respect of Marriott’s failure to put i place appropriate
      Ongoing  monitoring  of  user  activity, particularly activity  by
      privileged accounts.
6.14.  Marriott had itself determined that there was insufficient monitoring
      o p rivleged u sr a ccount|
      Whilst  Marriott did deploy  a Security  Operations  Centre  (“SOC”)
      P      E    ,            this was insufficient for the reasons given
      at para 6.23  below.
6.15.  The  National Cyber  Security  (“NCSC”)  guidance,  published  on 17
      November  2018, entitled “10 Steps to Cyber Security: Guidance on
      how organisations can protect themselves in cyberspace,    including
      the 10 steps  to cybersecurity",  lists “monitoring” as one  of the
      relevant steps. I explains the importance of monitoring to detecting
3 See,for exampleMarriott’s SecRepresentationparas2.2(b)-(c3.1(b)3.8-3.13and
3.25-3.29.
                                                                  ee
                                                                          29        or  responding    to  attacks  which  have  already  taken  place  or
        commenced:
            Detect    attacks: Either    originating    from    outside’  the
            organisation or attacks as a result of deliberate or accidental
            user  activity.  Attacks  may    be  directly  targeted  against
            technical infrastructure  or against  the services  being  run.
            Attacks  can  also  seek  to  take  advantage    of legitimate
            business services, for example by using stolen credentials to
            defraud payment services.
            React to attacks: An effective response to an attack depends
            upon  first being aware    than an attack has happened        or is
            taking place. A swift response is essential to stop the attack,
            and to respond and minimise the impact or damage          caused.
            Account    for  activity: You    should    have    a  complete
            understanding of how systems, services and information are
            being used by users. Failure to monitor systems and their use
            could lead to attacks going unnoticed and/or non-compliance
            with legal or regulatory requirements.?2
6.16.  The  NCSC  guidance  also explains that monitoring    activities should
        include,  inter alia,  the  monitoring    of network    traffic and  user
        activity. This NCSC  guidance builds upon earlier guidance published
        by the NCSC    which i to similar effect. See, for example, the NCSC
        guidance entitled “Introduction to identity and access management”
        published i January 2018?      which refers to: (a) “basic principles to
        follow when    designing  user access    management”;    and  (b) “basic
        architectural good practice when designing and administering access
        management    systems”.  Such  basic principles and practices include
        “operations  and    monitoring    -  the  supporting    processes    and
        technology to identify and enable investigation of breaches of policy
        or controls”. The guidance explains that:
            Given  the high value to an attacker of compromising          your
            identity and  access  management      systems    they should    be
            given priority for security maintenance.    This means, amongst
            other things, prompt    application  of security patches  across
            your  estate  (or  otherwise    mitigating    security  issues),
            practicing good  user and privileged user management,        and
3  https: //www.nesc.gov.uk/collection/10-steps-to-cyber-security ?curPage=/collection/10-steps-
to-cyber-security/the-10-steps/monitoring
3 https: //www.ncsc.gov.uk/quidance/introduction-identity-and-access-management
                                                                                30            applying  appropriate  protective  monitoring.  Additionally,  we
            recommend:
          e designing    your  access  control  systems    to allow  for easy
              monitoring of account usage and accesses
          e being able to tie all user actions in the system to the user that
              performed them...”
6.17.  Both examples    of NCSC  guidance detail the basic need for multiple
        security techniques,    processes and technologies      i order to secure
        systems.    Accordingly,    Marriott ought  to have  been  aware  of the
        need  to have    multiple  layers  of security  i  place  i  order  to
        adequately    protect  personal  data. Although    Marriott  had  assured
        itself that i had    MFA  i place** (which,    as explained  above,  the
        Commissioner    accepts that Marriott did), and had certain additional
        security measures    i place, this was not sufficient. Marriott ought to
        have  had  i  place  better monitoring    of user activity to aid i the
        detection of an attack, as an additional layer of security.
6.18.  A forensic    report  into  the  incident,  dated  11  April  2019,    was
        commissioned    by Marriott and    prepared  by Verizon    (the “Verizon
        Report”).    I  notes  that  Marriott  had  not  configured  logging  i
        respect of “access to systems and/or applications within the CDE.”?°
        Marriott  did  have  the  results  of the  ROCs  and  its own  annual
        penetration    tests.  However,      these    did  not    evaluate’  the
        appropriateness    of the way    i which  Marriott monitored    (including
        through  logging) the Starwood      system  or the configurations    used
        for any such monitoring    (including logging).  Logging configurations
        are not within the scope of these tests. This i not a criticism of the
        ROCs or the penetration tests themselves.        Rather i reflects the fact
        that Marriott  ought  to have  taken  steps  to irmplement    measures
        which would identify vulnerabilities which the ROCs and penetration
        tests  would    not  identify.  Such    steps    would    include  the
        implementation    of effective    monitoring  (including  logging)  and
        alerts as part of Marriott’s wider security measures.      This i the gap
        identified by the Verizon Report.
6.19.  In  this  case,  appropriate  monitoring    would    have  included  the
        appropriate    logging  of  user  activity,  especially  i  relation  to
        privileged users. The logging of user activity once within the CDE, i
34 Contrary to, for exampara 3.6 of Marriott’s SecRepresentations.
3 Verizon Report, page 18.
                                                                                  31        addition to the logging done by the Guardium        software, would have
        aided i the detection of unusual account activity (such as where, i
        this case,  the Attacker    regularly  utilised legitimate  accounts  to
        perform unauthorised user activity within the CDE). Marriott's failure
        to log user activity i this way was inconsistent with its obligations
        under the GDPR.
6.20.  Marriott states that “no amount      of logging would necessarily have
        identified an attacker unless the attacker operated from an identified
        suspicious IP address,    which is not the case in this matter.’*© I i
        right to say that no security      measure    “would  necessarily”  work,
        there  being  no  guarantee    that  any  security  measure    i wholly
        effective. I i also true that i i harder to detect an attacker who i
        not  operating    from  a suspicious    IP address.    However,    this  i
        precisely why the monitoring of legitimate user accounts (including
        through  logging)  within the network  for unusual  activity i vital. This
        i recognised    by the NCSC,    which states i relation to monitoring:
        “these solutions should provide both signature-based capabilities to
        detect known    attacks, and heuristic capabilities to detect unusual
        system behaviour".?’
        (2)    Insufficient Monitoring of Databases
6.21.  In addition to the insufficient monitoring    of user accounts    and the
        user activity linked to those accounts, Marriott failed to adequately
        monitor    the  databases    within  the  CDE.    In  this  respect,  the
        Commissioner    i concerned    by the    following  three  failures:  (a)
        deficiencies i Marriott’s setup of security alerts on databases within
        the CDE;  (b) the failure to aggregate logs; and (c) the failure to log
        actions taken on the CDE      system, such as the creation of files and
        the exporting of entire database tables.
6.22.  Marriott deployed  IBM Guardium    to monitor activity on the database
        within the CDE. As configured      by Marriott, IBM Guardium      had two
        functions.  First, i logged  activity (such as efforts to create, read,
        update, or delete data within a database). Secondly, i issued alerts
        i certain circumstances.    The problems with the approach      adopted
        are as follows.
° Marriott’s Second Representations, para 3.39.
3 NCSC “10 Steps to Cyber Security” Guidance, dated2018:ovember
https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps/monitoring
                                                                                326.23.  With respect to logging, there were two main problems:
        a.  First, whilst Marriott had a security incident event management
            system (“SIEM”) and a SOC to collect the logs being generated
            by the system, Marriott did not ensure sufficient logging of key
            activities such as user activity or actions taken on a database.
            The insufficient logging rendered the SIEM and SOC ineffective.
            Marriott also insufficiently logged i other areas of its network,
            such as firewall and access logs.
        b.  Second,    Marriott  did  not engage    i    server  logging  of the
            creation  of files  (or  alternatively  i did  not  use  the  IBM
            Guardium    software  i  a similar  way),  which    allowed  the
            Attacker to export entire databases to ‘dmp’ files undetected.
            Such logging i likely to have been feasible for Marriott as such
            mass export of data does not regularly occur within the normal
            course of business so as to generate        an unhelpful  number  of
            false-positives.  This form  of logging  on the system,    and  the
            evaluation of the created    logs, could have enabled    Marriott to
            detect unexpected    activity within the CDE.
6.24.  In response to the concerns raised, Marriott has referred to its use
        of Proventa and McAfee’s IntruShield (two systems which generate
        and aggregate logs).*® These are not, however, sufficient to address
        the risks faced by the Starwood      network.  McAfee’s Intrushield aids
        in the  detection  of zero-day,    DoS  attacks,  spyware,    malware,
        botnets and VoIP threats, while Proventia operated        as an intrusion
        detection system.    Like Proventa, IntruShield    does not address the
        shortcomings    identified  above,  namely    the  failure  to  monitor
        database activity and user actions on network devices.
6.25.  Marriott stated  i its First Representations,    and the Commissioner
        agrees, that such logging would not have prevented the Attack i of
        itself, but “merely informs a response once the system        operator is
        aware  of the malicious    activity”.7°  However,    regular  and  close
        monitoring  and evaluation of logs can assist i the early detection
        of attacks, their mitigation,    and the prevention    of future attacks.
        That Marriott did not detect the Attack until alerted by Guardium        i
3 Marriott’s Second Representations, para 3.40.
3 Marriott’s First Representations, para 1.61.
                                                                                33        indicative of Marriott failing regularly to test, assess, and evaluate
        the effectiveness of its security measures.
6.26.  With  respect  to the Guardium      alerts, the  problem  was  that the
        circumstances    i  which  IBM  Guardium    would  issue  alerts  were
        limited i a way which undermined        its ability to detect unauthorised
        activity within the databases.
6.27.  In particular,  alerts  were  only  placed  on  tables  that  contained
        payment    card  information,  and  only specific queries    (where  table
        names    were  directly  referenced,  such  as i  a count)    triggered
        warnings i the system. Although the database as a whole did have
        some    protection  from  Guardium,*2      the  known    actions  of the
        Attacker prior to 7 September      2018 did not meet the conditions for
        the triggering  of an alert.*4  Marriott  has  explained  that  specific
        alerting  rules  and  tables  were  chosen    i order  to reduce    false-
        positives.  However,    this explanation    i insufficient  to justify  an
        approach    where  only tables  including    payment    card  data  were
        placed  within  the  scope  of Guardium    rules.  Marriott’s  focus  on
        payment    card  information    illustrates  a  failure  to  implement
        appropriate  technical  and  organisational    measures    to ensure    an
        appropriate level of overall security for all other personal data.
6.28.  A risk-based approach    was required    i this case (as acknowledged
        i para 1.45 of Marriott's First Representations).      Payment card data
        i likely to be the highest risk category,      and the tables containing
        payment    card  data  could  therefore  warrant  higher  security than
        other tables depending      on the sensitivity of the other data      held.
        However,    while a risk-based    approach  may  require payment    card
        data  to have  additional  security  alerts,  this does  not justify  a
        complete    lack of alerts on tables containing      other  personal  data.
        Moreover, the other data held may vary i its sensitivity, requiring
        different  security  measures    to be applied    to the tables/relevant
        processing.
6.29.  Marriott stated that i reasonably assumed,      based upon the PCI DSS
        testing results, that the Guardium    alerts i respect of the CDE were
        appropriately configured.*2 However,      the PCI DSS    tests concerned
40 Namely i terms of detecting unauthorised access based on IPs or failed login attempts, which the
Attacker i this incident bypassed through comprouser credentials.
+ As confirmed by Marriott in its correspondence dated 20 D2018, page 6.
4 Marriott’s First Representations, paras 1.43-44.
                                                                                  34        the perimeter    defences  against  an attack  rather than  monitoring
        systems  concerned    with    the detection  of an attacker    who  had
        already  penetrated    the  CDE.    The  tests  did  not  assess    the
        appropriateness of the discriminatory application of the alerts across
        the CDE segment, nor what this meant for the security of categories
        of personal data stored i tables which did not contain payment card
        information.  They    do  not,  therefore,  provide    the  reasonable
        assurance which Marriott claims.
6.30.  Finally,  Marriott  suggested    that  because  i believed    MFA  was
        implemented    across  the CDE,    this rendered    its reliance  on that
        authentication    tool  and  the  Guardium    alerts  as _ configured
        reasonable and therefore i compliance with Articles 5(1)(f) and 32
        GDPR.  This  i not accepted,    monitoring  (including  logging)  of the
        types discussed    i paras 6.13 to 6.29 above      are standard    security
        measures.  Control of access through    MFA does not displace the need
        for adequate  monitoring  (including logging) of activities that assist
        i detecting a breach once i i i train (see paras 6.15-6.17 above).
        (3)  Control of critical systems
6.31.  As  discussed  at paragraphs    6.13-6.30  above,  Marriott  failed to
        ensure  that the actions taken    on its systems    were  appropriately
        monitored.  In addition to the use of monitoring and security alerts,
        i would  have been appropriate for Marriott to implement        a form of
        server  hardening    as a preventative    measure,    which  could  have
        prevented    the  Attacker  from  gaining  access  to  administrator
        accounts and performing      reconnaissance before traversing across a
        network.
6.32.  In particular, the implementation    of whitelisting i one way  in which
        Marriott could  have  performed    server hardening.    Whitelisting  i a
        form of programming    which only allows certain users or IP addresses
        to access certain systems or software, as required for their specific
        role. I i important i reducing attack surfaces and reducing the risk
        of attackers being able to traverse through a network after gaining
        entry to a single user account.
6.33.  Whitelisting  should  be  deployed    where    appropriate    on  critical
        systems, and those systems which have access to large amounts            of
        personal data. The NCSC Guidance states that: “you should develop
        a strategy  to remove    or disable  unnecessary    functionality  from
                                                                                35        systems.”*? Whitelisting i also described        i NCSC    Cyber Essentials
        guidance as a defence against malware.** This supports advice given
        i earlier guidance by NIST. In October 2015 NIST published a guide
        to whitelisting    which  shows  how  whitelisting  can  be utilised  to
        prevent    unauthorised    software from    being installed on a device.*°
        In  this  incident,  whitelisting  could  have  aided    i  halting  the
        reconnaissance and privilege escalation stage of the Attack.
6.34.  There are many forms of whitelisting. Binary software whitelisting i
        a form of access control where only authorised software and scripts
        can be installed on a given system or user areas. For example, only
        allowing pre-approved software such as Microsoft Word and Outlook
        to be installed on work laptops.    This can be distinguished from other
        forms of whitelisting, such as the process by which only authorised
        IP addresses can gain access to network resources.*© Whilst i i not
        possible  to list the devices  i  relation to which    whitelisting  could
        have    been  appropriate,    at  a minimum      whitelisting  would    be
        expected    on:  (a) devices  which  could  be remotely    accessed;  (b)
        devices  which  store large amounts      or, or sensitive categories    of,
        personal  data;  (c) any  other  systems    which  Marriott  regards  as
        ‘critical’ to their network    operations;  (d) any  POS  terminals  at a
        property level; and any other devices which        process payment      card
        transactions.*”? The  implementation    of binary software    whitelisting
        would  — i correctly implemented      - have  prevented    the installation
        and execution    of a RAT. While i i true that the RAT was installed
        and executed on the system both pre-acquisition and pre-GDPR, and
        was therefore    not attributable to Marriott, the continued      absence  of
        whitelisting  post-GDPR    left the  systems    for which    Marriott  was
        responsible vulnerable to further RAT installations and executions.
6.35.  Marriott  stated  i  its First Representations    that  binary  software
        whitelisting was rarely implemented      by companies at the time of the
See https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps
44 NCSC Cyber Essentials GuidancRequirements for IT infrastructure (dated April 2020):
https ://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure.pdf (pages 10-
11, under the heading “MalwaProtection”). This language was also included i the now archived
version of this guidance, which dated from January 2015:
https: //webarchive. nationalarchives. gov.uk/20150605225501/https://www.gov.uk/government/pu
blications/10-steps-to-cyber-security -advice-sheets/10-steps-secure-configuration--11
45 https: //nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf (dated October
2015). See, i particular, section 2.1 on page 2.
4 See para 1.52 of Marriott’s First Representations.
47“Protecting Point of Sale Devices from Targeted Attacks” (Microsoft), dated 1 April 2014.
https://download. microsoft.com/documents/en-us/Protecting_Point_of_Sale_Devices-
April_2014.pdf. See, i particular, page 5.
                                                                                  36        incident,  because    i places    a heavy    burden  on  IT systems.*®
        However,    binary  software  whitelisting  was  a well-recognised    and
        established security practice for some      time before the GDPR      came
        into force,  and  certainly  by that date. The      NCSC    Guidance    lists
        whitelisting (“prevent unknown      software from being able to run or
        install itself...") as a “Cyber Essential”. That guidance was published
        in October  2015,  and  therefore  pre-dates  the GDPR.*°    In addition,
        there i guidance    published  by the National Institute of Standards
        and Technology (“NIST”), which recognises whitelisting as a better
        option than anti-malware.°° The NIST Guidance was published                i
        2015,  and therefore    significantly pre-dates  the implementation      of
        the GDPR.
6.36.  Marriott also stated i its First Representations that binary software
        whitelisting could be circumvented      by attackers ‘side loading’ RATS
        by using legitimate executable      code.>! Whitelisting,  like all security
        measures,    cannot  be entirely  resistant to attack.  However,    where
        side-loading did take place i the Attack, that appears to have been
        because    Marriott’s  systems    vaguely    or  improperly    specified  a
        dynamic-link    library (DLL) which allowed such side-loading to take
        place.°* Whilst Marriott i right to suggest that these are risks which
        cannot be fully eliminated from any third-party software,>? this only
        highlights the fact that Marriott ought to have carried out regular
        audits,  updates    of  software    and  restricted  file  and  directory
        permissions. The existence of outdated/obsolete software i also an
        issue noted i both the 2017 and 2018 PCI DSS            Reports, and these
        could have been mitigated by properly reacting to issues discovered
        i the penetration tests.
6.37.  In any event, no single security measure        can fully protect a system
        against attack or compromise.        I would  have been appropriate for
        Marriott to have implemented      a ‘defence i depth’ strategy, of which
        whitelisting could  play an important    role, i order to protect their
        systems    against  attack  and  monitor  activity on their network      i
4 Marriott’s First Representations, para 1.53.
4 See: https: //www.ncsc.gov.uk/information/reducing-your-exposure-to-cyber-attack
5  See:  https://www.ncsc.gov.uk/information/reducing-your-exposure-to-cyber-attacthend
reference to “whitelisting and execution control - preventsoftware from being able to run
or install itself.”
5 Marriott’s First Representations, para 1.53.
allow side loading to take place.echniques/T1for an explanationof the vulnerabilities that
5 Marriott’s Second Representations, para 3.31.
                                                                                  37        order to promptly    mitigate  any unauthorised    or malicious    actions
        that managed    to bypass their security controls.
6.38.  The  measures    discussed  above  are readily available    and  mature
        solutions (i.e. solutions that have been known        about i the industry
        for a long period    of time), which    are appropriate    and  could  have
        been  implemented    by Marriott,  to the extent    necessary,  without
        entailing excessive cost or technical difficulties. However,        i i only
        suggested    that  whitelisting    (or  equivalent    server  hardening
        measures which would limit the functionality of systems to only that
        which  i required of them)    could be appropriately deployed        on (a)
        critical systems which attackers may target whilst looking to access
        other, sensitive areas of the network,        or (b) systems    which  could
        access    other    (separate)    systems    containing    personal    data.
        Therefore, i would be appropriate to implement a server hardening
        measure    across    devices  with  access    to  the  CDE,    the  CDE
        environment    itself and any other network devices that could access
        either large quantities or sensitive categories of personal data.
        (4)    Encryption
6.39.  Payment    card  data  and,  i some    cases,  passport  numbers,    were
        encrypted    by  Marriott  using  AES-128,    an  industry    standard
        encryption  algorithm.  Oracle databases    (the Starwood    reservation
        database included tables stored i an Oracle database) provided the
        functionality to encrypt table entries in this way, and i was Marriot’s
        responsibility to ensure this was configured correctly.
6.40.  However,    i keeping    with Marriott’s focus on PCI DSS      compliance,
        encryption was not applied to other categories of personal data. The
        Commissioner      i  particularly  concerned    that  not  all  passport
        numbers    were encrypted.
6.41.  In its First and Second    Representations,    Marriott stated that i had
        adopted    a mature    and  risk-based  approach  to cyber    security  by
        targeting  its security  efforts on the tables    containing    cardholder
        information.**    In support    of its position,  Marriott  relied  upon  a
        selective  quotation    from    the  NCSC    Guidance    i  its  written
54 Marriott’Representations,para 1.27 and  1.63,see also para 3.45 of Marriott’Second
Representations.
                                                                                  38        submissions.  However,  the Commissioner    notes that the full quote
        provides as follows:
            In some  scenarios, the use of encryption    to protect bulk data
            should be the norm.    For example,    where  data is transmitted
            over the internet, stored on a laptop, or stored on removable
            media.  However,    encryption relies on good key management,
            and in some    scenarios i is challenging to engineer a solution
            which makes    meaningful use of encryption to protect personal
            data. This is sometimes    the case in systems    which are always
            online, where  data needs    to be available to query. In these
            scenarios,    your  systems    architects  and  designers    will
            need to think carefully about how encryption can be used
            in a meaningful    way.”
6.42.  However,  Marriott  has  not provided    any  risk assessments    which
        demonstrate the evaluative judgement i arrived at and the rationale
        for its approach to the encryption of personal data. On the contrary,
        Marriott has taken an inconsistent approach by encrypting some but
        not all passport  numbers.  In addition,  while  i may  be true that
        cardholder  information  i of higher  risk than  other categories    of
        personal  data, this does not vitiate the risk to other categories of
        personal data. Thus, while the NCSC      guidance quoted    above, does
        not say that Marriott i required to implement encryption across all
        personal  data,  i does  require Marriott to explain why    i chose  to
        selectively encrypt data.°® Even i Marriott reasonably believed that
        the CDE  was  protected  by MFA,  i was  aware  - or ought to have
        been aware - that no system      i fully secure.>’
6.43.  Marriott, i its First Representations, also claimed that i would have
        been  impractical for i to have encrypted      any more    personal  data
        than i did.°° However    a number  of methods    exist to facilitate the
        identification of the user to which    a piece of data    refers, so that
        decryption  of personal    data  can  take  place  quickly  and  when
        necessary.  One  method    i through  the use of a unique    identifier
        (such  as an  UUID),  which  can  aid i  querying  and  decrypting
        individual pieces of data associated with individual customers where
        required  i  almost  real-time.  There  are  also  Hardware    Security
° See: https://www.ncsc.gov.uk/collection/protecting-bulk-pers(emphasis added).
5 Marriott’s Second Representations, para 3.46(c).
5 Marriott’s Second Representations, para 3.46(b).
5 Marriott’s First Representations, para 1.27(b).
                                                                              39      Modules which Marriott could have utilised, encrypting data i near
      real time at its source and decrypting i at its destination.
6.44. In additionthe level of security that the encrcouldnhave
      achievedwas compromisedwithin the Starwooguest reservation
      databaseby a script, developby Starwood,which allowedfor
      AES-128 encrypted entries i a database table to be dec|ypted. |
                                                          ee
                                                          ee
                                                          ee
                                                          ee
      a
                                                    e e
                                              SS
6                                                          ee
      a
      a
                                                          ee
      a
      a
      a
      a
                                                          ee
                                        ee
6                                                        ee
      a
      a
      a
      a
      a
                                                          ee
                              CSC
6                                                          ee
      a
                                                          ee
agrees that i i unlikely that the attacker did run i the attacker sons of times,le the Commissioner
wished, this could have been achieved i very little timeprocess.uld be run as an automated
6 Marriott’s Second Representations, para 3.46(a).          4oOMarriott’s wider arguments
6.48.    In  addition    to  the    arguments      referred    to  above,    Marriott’s
        Representations      raised  a number      of more    general    legal  and/or
        factual arguments. This section addresses the following submissions
        made  by Marriott:
          oy  First, that the Commissioner        had assessed the issue of breach
              without reference to “any clear standards”°! reasoned with the
              benefit of hindsight and      regarded    the fact that the Attack was
              successful    as an    indicator  that the security      measures    were
              inappropriate.°*    Marriott  claims    that  the  Commissioner      has
              applied an “impossibly high standard of care”.°?
          Ss  Second,      that  the  Commissioner      failed  to apply    a holistic
              approach.
          a  Third,    that  the  Commissioner      impermissibly      relied  upon
              Marriott’s  pre-GDPR    conduct,    and  incorrectly concluded      on a
              provisional basis that Marriott had failed to carry out sufficient
              and appropriate due diligence.
          Qo.  Fourth, that the Commissioner          erred i referring to Article 25
              GDPR    i the NOI.®
          @    Fifth, that the Commissioner        erred i reaching the provisional
              view    i the NOI    that Marriott    had  breached    the notification
              requirement under Article 33 of the GDPR.°”
6 Marriott’s First Representations, paras 1.3-1.7.
6  Marriott’sFirstRepresentations, paras 1.8-1.12. See,  to similareffect,Marriott’sSecond
Representations,Executive Summary,  para 3, and para 3.1(b), and paras 3.15-3.18.
6 Marriott’s First Representations, Executive Summapara 1; para 1.2, see also Marriott’s Second
Representations, paras 3.14-3.18.
64 Marriott’s First RepresentatioExecutive Summary,  paras land 5, and paras 1.13-1.15; and
Marriott’s SecondRepresentations, para 2.2(c).
6 Marriott’s First RepresentatioExecutive Summary,  paras 3-4, paras 1.18-1.20 and 1.29-1.37.
6 Marriott’s First Representations, para 1.21.
6 Marriott’s First RepresentatioExecutive Summary,  para 7, and paras 2.1-2.10 and 2.16.
                                                                                        At      f.    Sixth,  that the Commissioner      was  wrong    provisionally to find
              i the NOI that Marriott’s notification to data subjects breached
              Article 34 of the GDPR.®
6.49.  In its First and Second      Representations,    Marriott also advanced      a
        number of points i relation to: (a) the Commissioner’s approach to
        determining whether to impose a penalty; and (b) her methodology
        i calculating the proposed      penalty as set out i the Notice of Intent
        and the draft decision. These arguments are addressed            i Section 7
        below.
        (1) The correct approach/standard
6.50.  Marriott claims that: (a) the Commissioner’s          factual findings were
        inaccurate;    and/or    (b)  the  Commissioner      cannot    maintain    the
        conclusion  that appropriate    measures    were  available that Marriott
        failed to take to remove    and/or mitigate the risk of an attack of the
        kind  which  occurred  i  this case    because  she  had  applied  the
        incorrect standard or approach.®?
6.51.  In the analysis set out above, the Commissioner has clarified certain
        factual  findings  made    i the Notice    of Intent  i the light of the
        submissions    made    by  Marriott  i  both  its  First  and  Second
        Representations, including by, i particular, clarifying her position i
        respect of the incomplete application of MFA.
6.52.  Further,  paragraphs    6.3-6.8 above,    provide an accurate summary
        of  the  position  on  the  relevant  standard    and  set  out  the
        Commissioner’s response to Marriott’s argument that she applied an
        incorrect, unduly high, inappropriate or unclear standard i the NOI
        and/or draft penalty notice. The analysis set out i Section 6 above
        clearly explains the basis for the finding that Marriott failed to put i
        place appropriate    security arrangements      as required  by the GDPR
        by reference to the specific facts of this case. Contrary to the claims
        made    i Marriott’s First Representations, the Commissioner          has not
        applied    a  one-size-fits-all  approach    to  what    measures      are
        appropriate to secure different types of personal data.”°
6 Marriott’s First Representations, paras 2.11-2.15 and 2.16.
RepresentationsExecutive Summary,,para 3.1.3—1.5  and  1.39-1.70; and Marriott’sSecond
7 Contrary to, i particular, paras 1.16-1.17 of Marriott’s First Representations.
                                                                                    426.53.  As the Commissioner      has set out above,    and  as she set out in the
        NOI, there were    a number    of appropriate    measure(s)  available to
        Marriott that an organisation of its scale would    be expected to take
        to secure  its data  operations.  Contrary  to the  claims  made    by
        Marriott,  this Penalty  Notice  (nor the NOI/draft    decision)  do not
        proceed on the basis that simply because the Starwood        system was
        the  victim  of the  Attack,  i follows  that  Marriott  breached    the
        GDPR.’! The reasoning    supporting this Penalty Notice, and the NOI
        and draft decision, does not adopt such a simplistic approach.
6.54.  For  essentially    the  same _ reasons,      contrary    to  Marriott’s
        submissions,’* the Commissioner’s findings do not involve applying
        the benefit of hindsight i an improper manner, or at a        (as already
        explained above). The Commissioner i satisfied that there were four
        distinct weaknesses    i  Marriott’s system    each  of which    Marriott
        ought to have    identified and  remedied,  using one of the range of
        options    available  to    Marriott  (as  discussed    above).    The
        Commissioner    does  not  rely on  the  ‘success’  of the  Attack  as
        evidence that a breach of the GDPR definitely occurred. Instead, the
        Attacker’s  ability  to  exploit  deficiencies  i  Marriott’s  security
        measures,    for  which  remedies    were  available,  discloses  wider
        failures to put appropriate    measures    i place.  In particular,  the
        failure to encrypt all passport numbers      was inadequate. There was
        also a failure to place Guardium      alerts on tables other than those
        which  contained  payment    information, thereby allowing the attack
        to go on undetected for a longer period.
6.55.  At para 1.12 of its First Representations,      Marriott also claims that
        there i no basis for the suggestion that, under the GDPR,          i ought
        to have  identified the type of Attack which      i the subject    of this
        Notice, or carried out any further improvements        on the Starwood
        systems,  because  the system    was  the “victim  of a sophisticated
        attacker, which adopted a multi-vectored approach to its attack and
        was able to circumvent numerous        protections that were in place”.
        However, the sophistication or specific vector of the attack i not the
        relevant focus. A controller has to implement appropriate measures
        to ensure  the security  of its systems.    The  measures    mentioned
        above could have been implemented        using standard  industry tools,
        and could have prevented, detected and/or mitigated the impact of
7 Marriott’s First Representations, §§1.8-1.9.
7 See, i particular, Marriott’s SRepresentations, paras 3.15-3.18.
                                                                                43        the Attack. What the Attack disclosed was the failure by Marriott to
        put i place appropriate security measures to address attacks of this
        kind and/or other identifiable risks to the system.
6.56.  Furthermore,  Marriott was wrong    to state’? that the fact that the
        relevant Starwood    IT system  was due to be retired shortly means
        that i was  not necessary to put i place the types of appropriate
        measures  identified above  i order to comply    with Articles 5(1)(f)
        and/or 32 GDPR.
6.57.  In particular, Marriott relies on the fact that i originally intended to
        decommission    the Starwood    system  i the first quarter of 2018  i
        response  to the concerns    raised about its security measures.    I i
        important  to note that the intended    decommissioning    was  due to
        take  place approximately    a year and    half after the acquisition  of
        Starwood,  a long period of time during which data continued to be
        processed on the system. In fact, the intended decommissioning        did
        not take place i the first quarter of 2018; the timetable was altered
        such that i was only to be achieved    by the end of 2018. Whilst the
        Commissioner accepts that Marriott could not have known about the
        delay to the decommissioning      timetable  at the outset,’*  i early
        2018  Marriott was aware that the GDPR      was coming    into force and
        that i would    be continuing  to process  data within  the Starwood
        network  for a number    of months    after that.  During  this period,
        appropriate monitoring    (including logging), and alerting tools could
        have  been  implemented    relatively quickly  i order to secure    the
        systems until their decommissioning    at the end of 2018.
6.58.  Many of the measures    identified i the discussion of the 4 principal
        errors above  could  have  been  easily implemented    as part of the
        security improvements which Marriott was already making over this
        period. With  regards to logging, the appropriate      changes  to what
        was i fact being logged could have been made        as part of Marriott’s
        SIEM  and SOC    projects. No additional steps as part of the “general
        IT lifecycle process” would have been required.”°    Similarly, changes
        to the Guardium    alert settings  could  have  been  made  relatively
        quickly  and  easily  when  IBM    Guardium    was    deployed.  The
        appropriate    server    hardening    measures    could    have    been
7 Marriott’s Second Representations, para 3.32-3.36.
7 Marriott’s Second Representations, paras 3.35-3.36.
7 Marriott’s Second Representations, para 3.38.
                                                                              44        implemented    within  6-12  months    (depending  on which  measures
        Marriott selected and how i chose to implement them).
6.59.  The  fact that an IT system    i due to be retired shortly does      not
        disapply the GDPR to the data being processed through that system.
        Marriott  was  still obliged to decide  what  appropriate  measures
        should  be i place i the light of the continued      use of the system.
        While the fact that a system      i to be decommissioned      may  be a
        relevant factor i determining what measures would        be appropriate
        i a given case, this ultimately does not remove the basic obligation
        to put i place security measures      appropriate to the risk posed    by
        the continued processing. This may mitigate against, for example, a
        requirement  that a controller,  even  one  of the size and  scale of
        Marriott, put i place expensive,    state-of-the-art measures,    where
        the system  i to be decommissioned      i the near future. However,
        where  other appropriate  measures    are available without    entailing
        disproportionate  cost or delay, they should    be put i place i they
        are required  to ensure  a level of security appropriate    to the risks
        posed  by continued  processing.  As explained    above,  the specific
        measures    identified i the discussion    of the four principal  errors
        above  are all ones which    could  have  been  put i place i a short
        amount  of time, and which would not have entailed excessive cost.
        (2) A holistic approach
6.60.  The Commissioner has had regard to Marriott’s detailed submissions
        on the security  measures    i had  i place generally,    and  those  i
        implemented    after  its limited  due  diligence  on  the  Starwood
        systems.’©  However,  the investigation  has identified a number    of
        appropriate  measures    or steps  that should    have  been  taken  by
        Marriott to address  the identified security risks within its system.
        The Attack,  and/or  other attacks which    could  have  occurred  as a
        result of the deficiencies  i Marriott’s  systems,  identified  above,
        mean    that,  even  judged    holistically, Marriott’s  technical  and
        organisational  data security arrangements      cannot  be regarded    as
        sufficient or appropriate.
6.61.  The Commissioner    has also considered Marriott’s submissions about
        the improvements      made  to Starwood’s    systems  post-acquisition,
        which  are  said  to  show  that  i engaged      i  appropriate    due
7 See, i particular, para 1.35 and paras 1.39-1.70 of Marriott’s First Representations.
                                                                              45        diligence.’”” However, i i notable that none of those steps identified
        the relevant,  easily detectable,  deficiencies  i Marriott’s security,
        which could have been easily addressed        but were exploited during
        the  Attack.  Marriott’s  submissions    i  this  regard  focus  on
        improvements    i made to its own systems, and which the Starwood
        systems / data would      benefit from when    they were migrated    to its
        network (paras 1.35(b)-(c) of Marriott’s First Representations).        But
        this does not meet the concern that Marriott continued          to use the
        Starwood    system  without  remedying    the clear deficiencies    i its
        security arrangements.    I i clear from Marriott’s Representations’®
        that  only  limited  changes    were  made    to the  Starwood    system
        because  i was    expected  to be decommissioned      sometime    i the
        future.  I i apparent      that these  changes    were  not sufficient to
        address  the  failings described    above  which    should  have  been
        addressed given the ongoing processing that was to take place prior
        to decommissioning.
        (3) Pre-GDPR conduct and due diligence
6.62.  Marriott i wrong to argue that the NOI relied upon Marriott’s failure
        to appropriately secure its systems and the personal data stored on
        them, prior to the period covered by the GDPR. The fact that no such
        reliance was placed on the pre-GDPR conduct was made clear i the
        NOI itself.7?
6.63.  Marriott’s argument    i this regard relies on the claim that any duty
        to undertake a due diligence process i one which would have to be
        discharged  prior to or shortly after acquisition.    Marriott submitted
        that i i not tenable to proceed      on the basis that acquisition due
        diligence i a “seemingly endless” process.®°
6.64.  While the Commissioner accepts that the acquisition of a company /
        data processing operations are a trigger for a controller to carry out
        due  diligence,  either  immediately    prior to acquisition    or shortly
        thereafter, this i not the only trigger point for such activity. The
        need for a controller to conduct due diligence i respect of its data
        operations    i  not  time-limited    or  a ‘one-off’  requirement.    In
7 Marriott’s First Representations, paras 1.15 and 1.30-1.35.
7 See paras 1.34 and 1.35(d) of Marriott’s First Representations and paras 3.35-3.36 of Marriott’s
Second RepresentationsSee also para 6.56 above.
7 Marriott’s First Representatparas 2.4-2.10;see also Marriott’s First Representparans,
1.20.
8 Marriott’s First Representations, para 1.20(a) and (b).
                                                                                  46        particular,  the coming    into effect of the GDPR    was,  for a global
        business like Marriott, a highly relevant factor.
6.65.  Controllers such as Marriott would      have been aware for some      time
        that the GDPR was going to come into effect on 25 May 2018. I was
        incumbent    on such controllers to ensure that their data processing
        complied  with the provisions of EU law from      that date.  However,
        after May 2018 Marriott continued to process personal data using a
        system  that  was  deficient  i  a number    of respects,  and  those
        deficiencies only came to light following the discovery of the Attack
        some  months  later.
6.66.  Given  Marriott’s ongoing  duty to ensure    that the systems    i had
        acquired  from  Starwood  were  GDPR  compliant,  i i no answer    to
        claim that certain due diligence steps were, or only needed          to be,
        taken i the period immediately after acquisition. Controllers cannot
        process personal data without appropriate security measures          being
        i place on the basis that the system was deficient prior to May 2018
        and has not been remedied. Even i adequate due diligence had been
        undertaken at the point of acquisition, that would not have removed
        Marriott’s  obligation  to  ensure,  on  a continuing    basis,  that  i
        complied with the GDPR,    once that Regulation came      into force.
6.67.  Marriott  recognises  this,  but  relies upon  inter alia its PCI    DSS
        assessment    process  as  the  means    by  which    this  continuing
        obligation  was  discharged.®t  However,  PCI DSS    assessments    are
        limited i their ability to detect and mitigate vulnerabilities within a
        network,  for the reasons    given at paragraph    6.29 above.    Rather,
        adequate    and  appropriate    due  diligence  would    have _ included
        reviewing  the  adequacy    of the    monitoring    (including  logging)
        systems within the network.
6.68.  Thus, for the avoidance of any doubt, this decision relates solely to
        Marriott’s failures after 25 May    2018.  The  Commissioner    has not
        issued  a decision  under  the  Data  Protection  Act  1998  (“DPA
        1998”),  despite the historic, pre-2018      nature  of the concerns    i
        respect of the Starwood    system.
8 Marriott’s Second Representations, page 47.
                                                                                47 () A ticle 25
6.69.  The Commissioner    acknowledges that the NOI, at para 58, included
        an erroneous reference to Article 25 GDPR. This was a typographical
        error. The penalty figure set out i the NOI did not take into account
        any breach of Article 25.
(5) Article 33
6.70.  At the NOI stage, a provisional finding of breach of Article 33 GDPR
      was  proposed.  However,  this finding no  longer forms  part of the
        decision against Marriott.
6.71.  In reaching this decision, the Commissioner    did consider Marriott’s
        claims that ( the Commissioner failed to identify the date on which
        Marriott became  aware  of the breach;®  and (ii) the Commissioner
        misapplied the GDPR  rules on when a controller must be taken to be
        aware of a personal data breach.®?
6.72.  However,  i i not accepted  that the NOI failed to identify the date
        on which  Marriott became  aware of the breach for the purposes of
      Article 33 GDPR. The Commissioner      identified 8 September  2018 as
      the relevant date at para 52 of the NOI: “Marriott had been aware
      of unauthorised access to the Starwood systems since the Guardium
      alert on 8 September 2018... It would have been reasonable at that
      point for Marriott to conclude that personal data was likely to have
      been  accessed  by an unauthorised    party.” The  reference  to the
      “dmp”  files i para  53 of the NOI    cannot  reasonably  be read  as
        referring to the  identification of the dmp    files on  13  November
        2018.4 Rather, this was a reference to the fact that on 7 September
        2018  the Attacker  exported  the “Guest_Master_Profile”    table - a
      table that Marriott knew to contain personal data - into a “dmp’” file.
        Marriott was  alerted to the presence  of the Attacker  by Accenture
        on 8 September  2018, the day after this took place.
6.73.  Marriott was also incorrect to submit that the GDPR    requires a data
        controller to be reasonably certain that a personal data breach has
        occurred  before  notifying  the  Commissioner.    Rather,  a  data
        controller must  be able reasonably    to conclude  that i i likely a
8 Marriott’s First Representations, -2, 3.2.1
8 Marriott’s First Representations, -2.11.2.4
8 Marriott’s First Representations, para 2.1.
                                                                            48        personal  data  breach    has  occurred    to  trigger  the  notification
        requirement under Article 33.
6.74.  Nevertheless,    the Commissioner      took  into account,  i particular,
        Marriott’s explanation that a count can be performed        on a database
        without  any  of the  personal  data  held  on  that  database    being
        accessed, and that Marriott’s position i that i was unaware          of the
        export of the “Guest_Master_Profile” table into a “dmp” file (which
        took place on 7 September      2018)  until 13 November    2018. ® The
        Commissioner has also taken into account Marriott’s submission that
        the  “Guest_Master_Profile”      contained    non-personal    data,  and
        therefore  i was  only with decryption    of that file on 19 November
        2018 that i became      aware of the personal data breach.
6.75.  Thus,  i  this  particular  case,  and  i  the  light of  Marriott’s
        Representations,    the  Commissioner    has  decided  not to make      a
        finding that Marriott breached Article 33 GDPR.
(6) Article 34
6.76.  The  NOI  contained  a provisional finding of a breach      of Article 34
        GDPR.  Marriott submitted    detailed submissions    i response to that
        proposal.®
6.77.  The Commissioner      recognises that Marriott established a dedicated
        website regarding the breach, and issued a press release which was
        widely-reported.®”    Marriott  claims  in its Representations      that  a
        dedicated website and press release would        have been sufficient for
        i to have    discharged    its obligations  under  Article 34.8° This    i
        incorrect.
6.78.  Article 34(1)  requires Marriott to “communicate      the personal data
        breach  to the data  subject”  (emphasis    added).  Where  this would
        involve  “disproportionate    effort”,  Marriott  may    issue  a  public
        communication    or similar measure    (Article 34(3)(c)).  Sending  an
        email to data subjects whose current email addresses are stored on
        Marriott’s systems  i not, on any view, a disproportionate      measure.
        I i a routine commercial activity. This i supported        by the fact that
        Marriott did inform the data subjects, via email, very soon after i
8 Marriott’s First Representations, paras 2.4-2.10.
8 Marriott’s First Representations, paras 2.11-2.16.
8 Marriott’s First Representations, para 2.12.
8 Marriott’s First Representations, para 2.14.
                                                                                  49        identified the breach.  The  Commissioner    accepts  that some    data
        subjects  will not  have  been  contactable  i that way;    the  most
        obvious  example    being  individuals who  had changed    their contact
        details. In these  cases,  i may    have  involved  a disproportionate
        effort to track those individuals down    i order to communicate      the
        breach  and,  for such  individuals,  Marriott will have  discharged  its
        duty by way    of its press release and dedicated    website.  However,
        Marriott  i not  entitled  to rely upon    communications    which  are
        addressed  to the world    at large  (such  as its press  release  and
        website) as discharging    its duties under Article 34(1) i relation to
        all data subjects.
6.79.  The  Commissioner    i accordingly    entitled  to consider    Marriott's
        direct communications      (including  emails)  with  the  affected  data
        subjects  as the  means    by which    Marriott  sought  to satisfy  its
        obligations under Article 34 GDPR.
6.80.  The email sent by Marriot referred to a “dedicated call centre”, this
        being a specific telephone    line set up for affected data subjects to
        contact for further information, but i did not include the telephone
        number. The email, having communicated        the “name” of the contact
        point, did not communicate    the “contact details” of the point where
        more  information  could  be obtained.  While  plainly not deliberate,
        these omissions to some extent undermined      the effectiveness of the
        notification.
6.81.  The  Commissioner    has taken    into account  the fact that the email
        contained a link to the dedicated website, which i turn provided the
        telephone number for the dedicated call centre,®? although the email
        itself did not. On this occasion, and i light of the information that
        Marriott did i fact provide to affected data subjects, this Penalty
        Notice does not include any finding that Marriott breached Article 34
        GDPR.
7.REASONS          FOR IMPOSING          A PENALTY & CALCULATION
  OF THE APPROPRIATE              AMOUNT
7.1.    For the  reasons  set  out above,  the  Commissioner’s    view  i that
        Marriott  has failed to comply    with Articles  5(1)(f)  and  32 GDPR.
        These failures fall within the scope of section 149(2) and 155(1)(a)
8 Marriott’s First Representations, para 2.14(a).
                                                                              50        DPA.  For  the  reasons  explained  below,  the  Commissioner      has
        decided that i i appropriate to impose a penalty i the light of the
        infringements she has identified.
7.2.    In deciding  to impose    a penalty,  and  calculating  the appropriate
        amount,  the Commissioner      has had regard to the matters      listed i
        Articles 83(1) and (2) GDPR    and has applied the five-step approach
        set out in her RAP.
The imposition      of a penalty i appropriate        in this case
7.3.    Both  the  RAP  and  Article 83  GDPR  provide  guidance  as to the
        circumstances i which i i appropriate to impose an administrative
        fine or penalty for breaches of the obligations imposed      by the GDPR.
7.4.    Article 83(2) GDPR    lists a number of factors that must be taken into
        account. These are each discussed i detail below i determining the
        appropriate level of fine, i accordance with the steps outlined i the
        RAP. The  points made    below are also relied upon      i justifying the
        Commissioner’s    decision  to impose    a penalty,  i the light of the
        findings of infringement set out above.
7.5.    The RAP provides guidance on when        the Commissioner    will deem  a
        penalty to be appropriate.°° In particular, the RAP explains that a
        penalty i more likely to be imposed      where, inter alia, (a) a number
        of individuals have  been  affected;  (b) there has been    a degree  of
        damage      or    harm    (which    may _  include’  distress    and/or
        embarrassment);      and  (c)  there  has  been  a failure  to  apply
        reasonable  measures    (including  relating to privacy  by design)  to
        mitigate any breach (or the possibility of it).
7.6.    As discussed in more detail below, each of those features i present
        i this case. Taking    together the findings    made    above  about  the
        nature of the infringements,    their likely impact,  and the fact that
        Marriott  failed  to  comply    with    its  GDPR_    obligations,  the
        Commissioner      considers  i  appropriate  to  apply  an  effective,
        dissuasive and proportionate      penalty, reflecting the seriousness    of
        the breaches which have occurred.
° Pages 24-25, see para 2.37 above.
                                                                                51Calculation of the appropriate          penalty
        Step 1: an ‘initial element’ removing    any financial gain from the
        breach*!
7.7.    Marriott  did not gain    any  financial  benefit,  or avoid  any  losses,
        directly or indirectly as a result of the breach.      The Commissioner
        has not, therefore, added an initial element at this stage.
        Step 2: Adding    i an element to censure the breach based on its
        scale and severity, taking into account the considerations identified
        at sections 155(2)-(4) DPA
7.8.    Sections 155(2)-(4)    DPA  refer to and reproduce    the matters    listed
        i Articles 83(1) and 83(2).
        The  nature,    gravity    and    duration    of  the  failure  (Article
        83(2)(a))
7.9.    Nature    and gravity of the failures: The nature of the failures i
        of significant  concern.    As  set  out  above,  there  were  multiple
        measures    that Marriott could    have  put i place that would        have
        allowed  for the detection    of or mitigated  the Attack    insofar as i
        continued after 25 May 2018.°2 What the Attack shows i that during
        the relevant period Marriott was      processing  data on a system    that
        had  multiple security failings that were      exploited  by the Attacker
        and could have been exploited by others.
7.10.  In Marriott’s submissions    i has placed a great deal of emphasis      on
        other security    measures    i had  i place, criticising the NOI/draft
        decision for failing to look at the matter holistically.?? This criticism
        i misplaced.    The Commissioner      has carried out a holistic analysis
        of the relevant systems and security processes operated by Marriott.
        What  that analysis    showed    was  that the  measures    identified  i
        section  6 above    were  appropriate  to secure  the CDE.    Marriott’s
        implementation    (or perceived    implementation)    of other  security
        measures    was  not sufficient.  I was  appropriate    for there  to be
° Removing  any financial gain the data controllerhave obtainedfrom the infringementi
consistent with ensuring that the penalty i effective, proportionate and dissuasive (Article 83(1)),
and has regard to Article 83(2)(whichrefers to “financial benefits gaor losses avoided,
directly or indirectly, from the infringement. ”
° Marriott’s First Representations at para 3.2(a) have been considered and in section 6
above.
° Marriott’s Second Representations, para 2.2(c).
                                                                                  52        multiple  layers of security    i this case    (for the reasons    given  at
        paragraph 6.17 above).
7.11.  An  extremely    large  number    of individuals    were  affected  by the
        breach,  specifically, 339  million guest  records, of which    — for the
        purposes    of this    penalty  - 30.1    million®*  were    guest  records
        associated with EEA member        states. Marriott has explained that the
        total number    of affected  guests  i difficult to estimate    from  this
        figure as i may hold multiple records for an individual guest.°° Even
        taking into account that the true number of affected individuals may
        be 40%    lower than    initially estimated  by Marriott,°° this i still a
        significant number    of individuals.
7.12.  The mitigating steps taken by Marriott will have gone some            way to
        reassuring Marriott’s customers and therefore may have reduced or
        mitigated the distress that may otherwise have been caused            by the
        data breach. The assurances        given and the mitigating steps taken
        by Marriott are taken      into account  below.  I i nevertheless      likely
        that  some  of the    affected  individuals  will, depending    on  their
        circumstances, still have suffered anxiety and distress as a result of
        the disclosure of their personal information (including payment card
        information?”)    to  an  unknown      individual  or  individuals.  The
        Commissioner      has considered    i this regard the submissions      made
        by Marriott i i Representations.°° She notes the following points:
        a.  The  Commissioner      has  not  seen  any  evidence    of financial
              damage    and  i not required    to investigate    the existence    or
              otherwise of financial damage.°?      In calculating the appropriate
              level of penalty, the potential existence of such damage        has not
              been assumed    or taken into account.
        b.    I i possible that some      individuals may    have  cancelled  their
              payment    cards.  Contrary    to  Marriott’s  submissions,!°°    the
              Commissioner i not required to investigate or identify evidence
              of individuals actually cancelling their cards. In circumstances
° Marriott’s First Representations, page 65
° See Marriott’s Second Representations, paras 2.4-2.6.
% Ibid.
° Notwithstandingthe fact that there wano actual financial hato individuals, see Marriott’s
Second Representations para 2.7(a)(i).
° Marriott’s First Representatipara 3.1(d) and Marriott’s SecoRepresentationsparas 2.7-
2.8,
° A paint emphasisedi Marriott’s First Representatipara 3.2(d)(ii)(A); and Marriott’s Second
Representations, para 2.7(a)(i).
100 Marriott’s Second Representations, para 2.7(a)(iii).
                                                                                    53            where  a large number    of individuals have been      informed  that
            their  data,  including  some    credit  card  data    have  been
            compromised,      the Commissioner      considers  i likely that some
              individuals will have taken this step.
        c    The possibility that some    individuals may    have been prompted
            to cancel their payment cards i just one element of the overall
            assessment of whether the breaches of the GDPR          were likely to
            cause distress. The act of cancelling a card may        i and of itself
            only cause inconvenience. I i the reason why such action was
              necessary,  the  disclosure  of personal    information,    that  can
            cause distress amongst      some.
        d.  The  fact  that  the  Marriott  call  centre  received  57,000    calls
              between  30 November    2018 and 31 May 2019 (7,500 of these
              being  calls to  EU-based    call  centres)  i  indicative  of the
              potential  level of concern    amongst    affected  data subjects    on
              learning of the breach and subsequently.*%
        e.    Further,  even  i individuals  opted  not to cancel    their credit
            cards,    the  Commissioner      considers    i  likely  that  some
              individuals  will  have  experienced    distress  at  having  their
              personal data exposed      i a large-scale data breach.      Marriott’s
            suggestion that distress will only arise i cases where they are
            advised by their banks to cancel their payment cards!° ignores
            the fact that a      personal  data  (not just financial data)    i of
            significance to individuals, a significance which        i reflected i
            the legal protections afforded to that data under the GDPR.
7.13.  Duration:    Although    the Attack  itself spanned  a four-year    period,
        the infringements    that the Commissioner      relies on i this Notice
        occurred between    25 May 2018 (the date when the GDPR came into
        force) and 17 September      2018. The Commissioner      considers this to
        be a significant period of time over which        unauthorised    access to
        personal data went undetected      and/or unremedied.?°%
101 See further Step 5 below.
102 See Marriott’s SeconRepresentations,para 2.7(a)(iii), whii then contradictedby the
statement i para 2.7(a)(iv), which suggests that card cancellation i merely an “inconveniencan”
not, as suggestei sub-para (iii) a necessary componof a finding of distress.
103 Marriott’s First Representations at para 3.2(b) and Marriott’s Second Representations at para 2.3.
                                                                                  54        The  intentional    or negligent    character    of the  infringement
        (Article 83(2)(b))
7.14.  The Commissioner      has had regard to the guidelines provided by the
        Article 29 Working  Party i relation to assessing the character of the
        infringement i issue. I explains that:
            . In general, “intent” includes both knowledge and wilfulness
            in relation  to  the  characteristics  of an  offence,  whereas
            “unintentional” means    that there  was  no intention  to cause
            the infringement although the controller/processor breached
            the duty of care which is required in the law.
            It  is  generally    admitted    that  intentional    breaches,
            demonstrating    contempt    for the provisions    of the law, are
            more  severe  than unintentional ones and therefore may          be
            more  likely to warrant  the application of an administrative
            fine. The relevant conclusions about wilfulness or negligence
            will be drawn  on the basis of identifying objective elements
            of conduct gathered from the facts of the case...1°
7.15.  The  Commissioner      recognises  that the  infringement    was  not an
        intentional or deliberate act on the part of Marriott. This has been
        taken into account i assessing whether a fine i appropriate i this
        case.
7.16.  The  Commissioner      does,  however,    consider  that  Marriott  was
        negligent    (within  the  meaning    of  Article  83(2)(b)    GDPR)    i
        maintaining    systems    that  suffered  from  the  vulnerabilities  and
        shortcomings    identified i Section 6 above.!°
7.17.  In making this determination, the Commissioner places some weight
        on the relevant context: a company of the size and profile of Marriott
        i expected to be aware that i i likely to be targeted by attackers,
        sophisticated or otherwise.    Marriott must be aware that the nature
        of its business involves processing    large volumes    of personal data,
        including sensitive personal data. The risk of any compromise of that
        information    may    have  significant  consequences    for  Marriott’s
        customers and its own business.
104 Pp.11-12.
105 Marriott’s general claim at par2.9(b) of its SecoRepresentationrefers to its specific
explanations i section 3 of those representations, which have been i section 6 above.
                                                                                  557.18.  In view    of these  factors,  the  Commissioner:    (a)  would  expect
        Marriott  to have    taken  appropriate    steps  or a combination      of
        appropriate steps to secure the personal data of its customers;          and
        (b) considers    that  Marriott  failed  to comply    with  the  standards
        imposed    by  the  GDPR    i  failing to  do  so.  Beyond    this,  the
        Commissioner has not treated the nature of Marriott’s conduct under
        Article 83(2)(b)  as an aggravating    factor i assessing    whether    to
        impose  a penalty, or how    much  that penalty should    be. However,
        she i obliged to take into account the character of the infringement
        under Article 83(2)(b).    Thus,  she does    not consider that she has
        erred  i “applying    this factor”,  as Marriott  submitted    i  its First
        Representations.1%
7.19.  Marriott relied upon the Article 29 WP Guidelines to argue that the
        draft decision  failed to treat the fact that the breaches      were  not
        deliberate  as a positive  factor  i favour    i  assessing  whether    to
        impose  a fine.‘°” These Guidelines      state that intentional breaches
        are  more    likely to warrant    the  application  of a fine.    Marriott
        submitted    that i this i the    case,  the  absence    of intention  must
        weigh  in the controller’s favour.
7.20.  I i unclear what additional weight Marriott considers the absence
        of intention should attract i this case. The mere        recognition i the
        Article  29 WP    Guidelines  of the  obvious  point that a deliberate
        breach i more likely to result i certain consequences does not alter
        the fact that a penalty may      be imposed    for a breach of a different
        nature (and nor would      i be consistent with Article 83 GDPR      i fines
        only applied  to deliberate  conduct).  The  Commissioner    has taken
        into account the fact that the breaches were not deliberate as part
        of her overall assessment      (as Marriott recognises?°*).    However,    i
        circumstances    where,  as here, the breaches were      negligent within
        the meaning    of Article 83(2)(b), that fact must also be taken        into
        account when assessing whether to impose a fine and, i so, at what
        level.
7.21.  Marriott  also  criticised  the  Commissioner’s      analysis  as  being
        duplicative  because    she  had  regard  to, inter alia, the    scale  of
        Marriott’s  processing  operations    i assessing    whether    its actions
106 Marriott’s Representations, para 3.3.
107 Marriott’s Second Representations, para 2.9(a).
108 Ibid.
                                                                                  56        were  negligent  under  Article 83(2)(b),  as well  as i    assessing
        whether i complied with Articles 5 and 32 GDPR.!°?      While i i true
        that the  Commissioner    considered  some    of these  factors  when
        concluding  whether there was a breach of Articles 5 and 32, these
        factors are relevant i both contexts. The issue of whether a breach
        has arisen,  and  the nature    of Marriott’s responsibility for i    are
        clearly related issues.
      Any  action  taken  by the controller or processor        to mitigate
        the damage    suffered by data subjects (Article 83(2)(c))
7.22.  The Commissioner      has carefully considered    Marriott’s submissions
        to the effect that i could not discern from the draft decision how the
        mitigation action i took i response to the Attack has been taken
        into account  because  i was dealt with at this Step, rather than at
        Step 5.110
7.23.  The Commissioner      remains of the view that i makes      no difference
        to the ultimate decision on what, i any, penalty to impose whether
        the action taken  by the controller to mitigate the damage      i taken
        into account here, or under Step 5 i this Penalty Notice. However,
        she has decided    to consider this issue separately under Step      5 i
        this Penalty Notice.
        The  degree    of responsibility    of the controller    or processor
        (Article 83)(2)(d))
7.24.  As a controller,  Marriott  i responsible  under  the  GDPR  for the
        security of its systems  and the protection  of personal  data stored
        within those  systems.  I i required    by the GDPR    to implement
        security measures to reduce the vulnerability of those systems, and
        the  vulnerability  of the  personal  data  processed    within  those
        systems, to attack. While the entry of the Attacker into Starwood’s
        systems  pre-dates  Marriott’s acquisition of that company,    Marriott
        had  an  ongoing  duty  to ensure    the  safety  and  security  of the
        systems i was using to process personal data.
7.25.  As i clear from Section 6 above, there were multiple deficiencies i
        the security measures    i place i respect of the Starwood      system,
        which  Marriott continued to operate to process personal data after
109 Marriott’s Second Representations, para 2.9(c).
110 Marriott’s Second Representations, paras 1.9-1.10, and 1.34.
                                                                              5/        the  GDPR  came    into force.  As  a result,  the Attacker  was  able  to
        remain  present and    undetected    i the system    after 25 May    2018
        until the triggering of the Guardium    alert i September      2018.
7.26.  The  Commissioner    therefore  considers  that, for the duration  of the
        infringement    on  which  this penalty    i based,    Marriott  i wholly
        responsible  for the    breaches    of Articles  5(1)(f)  and  32  GDPR
        described above.
7.27.  In its Representations, Marriott highlighted the fact that the NOI did
        not  mention    that  Accenture    provided    i  with  third-party    IT
        services.'!! In response to the draft decision, Marriott explained that
        i its view, the fact that i engaged Accenture to assist i the security
        management      of the Starwood  network should be taken into account
        i assessing Marriott’s responsibility for the Attack.
7.28.  I i acknowledged      that Accenture    i an experienced      provider  of
        security  services  and  that  i provided    services  i  relation  to
        Marriott’s  security  environment.    However,    the  fact that    i was
        charged    with  implementing,    maintaining    or  managing    certain
        elements of the system does not reduce Marriott’s responsibility for
        the  breaches    of  the  GDPR    that  have    been    identified.  In
        circumstances    where    Marriott accepts  that i i the relevant data
        controller, and significant failures i its security measures have been
        identified, the engagement    of third parties cannot reduce its degree
        of responsibility.
7.29,  For the avoidance    of doubt,  however,  in taking a holistic view of the
        security  measures    put i  place,  account    has  been  taken  of, for
        example, the fact that Guardium was i place and certain alerts were
        applied under that system      (which Accenture monitored).
7.30.  Finally, Marriott  i correct to state    in its Representations    that the
        Article  29 WP    Guidelines  provide  that “industry    standards...  are
        important to take into account” when assessing compliance with the
        GDPR. The Commissioner        has taken into account Marriott’s detailed
        submissions on its compliance with PCI DSS standards, i particular
        i respect to the concerns which arose i respect of the application
111 Marriott’s First Representatpara 3.5, anMarriott’s SeconRepresentationsparas2.10-
2.11.
                                                                                  58        of  MFA  across  the  Starwood    network.!!2    However,    Marriott’s
        obligations under Article 5(1)(f) and Article 32 GDPR      go beyond the
        requirements    of the PCI DSS    and extend  to all personal  data, not
        just  cardholder    information    with  which    those  standards    are
        concerned.  The fact that Marriott may    have complied    with certain
        industry guidance focusing on specific      types of personal data does
        not obviate or reduce its responsibility for the security of all of the
        personal data i holds.
        Relevant previous infringements          (Article 83(2)(e))
7.31.  Marriott has no relevant previous infringements or failures to comply
        with past notices.
7.32.  Marriott claims that this fact should weigh      positively i its favour,
        rather  than  neutrally.1t? The  fact that  Marriott  has  no  relevant
        previous infringements i a matter that has been taken into account
        i the Commissioner’s decision whether to impose a penalty, and i
        her decision as to the appropriate level of that penalty.
        Degree    of cooperation      with  supervisory    authority    (Article
        83(2)(f))
7.33.  Marriott  has cooperated    fully with  her investigation  and  this has
        been taken into account.
        Categories of personal data affected (Article 83(2)(g))
7.34.  The Commissioner    has identified the relevant categories of personal
        data  in Section 4 above.  As noted  there, the data included    in some
        (but not all) cases unencrypted      passport details, details of travel,
        and  various  other  categories  of personal    information  including
        name,  gender,  date  of birth,  VIP status,  address,  phone  number,
        email address,  and credit card data.
        Manner    in which    the  infringement      became    known    to the
        Commissioner      (Article 83(2)(h))
112 See Marriott’s First Representations, para 3.6 and MarriRepresentationspara 2.12
and Section 3.
113 Marriott’s First Representations, para 3.7.
                                                                                597.35.  Marriott  notified the Commissioner    of the Attack  on 22  November
        2018 and i considered to have complied with its obligations i this
        respect.
        Conclusion at step 2
7.36.  Taking  into account:  (a) the matters set out i Sections 2-4 and 6
        above;  (b) the matters referred to in this section; and (c) the need
        to apply  an  effective,  proportionate  and  dissuasive  fine  i  the
        context  of a controller    of  Marriott’s  scale  and  turnover,  the
        Commissioner    considers  that a penalty    of £28  million would  be
        appropriate, before adjustment    i accordance with Steps 3-5 below
        and  the application  of the Commissioner’s      Covid-19    policy. This
        amount  i considered    appropriate to reflect the seriousness    of the
        breach and takes into account i particular the need for the penalty
        to be effective, proportionate and dissuasive.
        Step 3: Adding  i an element to reflect any aggravating factors
        (Article 83(2)(k))
7.37.  The amount of the penalty, as identified at Step 2, may be increased
        where  there  are ‘other’ aggravating    factors.'1+ In this case,  the
        Commissioner    does  not consider    there  to be any  other  relevant
        aggravating  factors. Thus,  no adjustment    i made    to the penalty
        level determined  at Step 2.
        Step 4: Adding  i an amount for a deterrent effect on others
7.38.  The Commissioner    i under an obligation to impose a penalty which
        i “dissuasive”. The need for the penalty to be dissuasive in relation
        to Marriott  itself i addressed    by the analysis    at Step  2. Having
        regard  to the amount    of the penalty  identified under  step 2, the
        Commissioner does not consider i necessary to increase the penalty
        further under Step 4 to dissuade others.!!°
7.39.  The Commissioner i not aware of widespread issues of poor practice
        that may    be particularly  deterred  by the  imposition  of a higher
        penalty.  Given  Marriott’s size and the scale of its operations,    and
        the fact that the Commissioner has decided to impose a penalty that
        already  takes  those  factors  into account  as part of the    need  to
        ensure  that any penalty i proportionate,      effective and dissuasive
114 Tn accordance with Article 83(2)(k) GDPR, section 155(3)(k) DPA. and page 11 of the RAP.
115 This makes redundant the points about this Step made by Marriott i i Representations.
                                                                                60        and  to  reflect the  seriousness    of the  breach,  the  Commissioner
        considers that no adjustment    i necessary under Step 4.
        Step 5: Reducing the amount      (save that i the initial element) to
        reflect any mitigating factors, including ability to pay (financial
        hardship) (Article 83(2)(k))
7.40.  As explained  above,  i principle, other relevant mitigating      factors
        could  be taken  into account  under  Step  2 or Step    5 of the RAP.
        Previously the Commissioner      considered  such matters i the round
        under Step 2 of the RAP, taking into account the factors in Article
        83 GDPR    and  section  155(3)  DPA  2018.  However,  i the light of
        Marriott’s representations for the purposes of this Penalty Notice the
        Commissioner    has considered the relevant mitigating factors under
        Step  5.
7.41.  Following  the guidance    set out at page  11 of the RAP,    and  having
        considered  Marriott’s Representations, the Commissioner      has taken
        into account the following mitigating factors:
        a.  Marriott had, prior to becoming    aware of the Attack, confirmed
            in 2018  a new  $19  million security investment    for 2019,  which
            raised  Marriott’s budgeted    spend  for that year on security to
            $49.5million.  Subsequent    investment    decisions  i 2019    have
            raised  Marriott’s  forecasted  IT security  budget  spend  on IT
            security for 2020 to $108.5million;
        b.  Marriott took  immediate    steps to mitigate    the effects of the
            Attack  and    protect  the  interests  of  data  subjects    by
            implementing    remedial measures;
        c    Marriott cooperated fully with the Commissioner's investigation,
            including responding    promptly to requests for information;
        d.  Widespread    reporting i the media of the Attack i likely to have
            increased  the awareness    of other data controllers of the risks
            posed by cyber-attacks and of the need to ensure that they take
            all appropriate measures to secure personal data; and
        e.  The  Attack  and  subsequent    regulatory  action  has  adversely
            affected  Marriott’s brand  and  reputation, which    will have  had
            some dissuasive effect on Marriott and other data controllers.
                                                                                617.42.  More specifically, the Commissioner      has taken into account the fact
        that, upon  being alerted to the Attack,    Marriott acted  promptly to
        mitigate the risk of damage    suffered by data subjects, by way of the
        following technical remedial measures:
        a.  The deployment    of real-time monitoring    and forensic tools on
            70,000 devices on the Starwood      network;
        b.  Implementing    password  resets;
        c    Disabling known    compromised    accounts; and
        d.  Implementing    enhanced  detection tools.
7.43.  These measures should allow Marriott to prevent similar breaches i
        the  future,  including  by  identifying  any  additional  attackers  or
        malicious software being utilised on its servers.
7.44,  The Commissioner    has also taken into account the fact that Marriott
        also took steps to: (a) establish a notification and communication
        regime;    (b)  create  a  bespoke    incident  website  i  numerous
        languages;  (c) send 9.2 million notification emails to data subjects
        whose  country  of residence  was  recorded  i the Starwood      Guest
        Reservation Database as being i the EU); (d) establish a dedicated
        call centre;  (e) provide web    monitoring  to affected data subjects;
        (f) enhance its data subject rights programme;      (g) engage with card
        networks;    and    (h)  improve    its technical  and _ organisational
        measures    generally.1?©  I i also    noted  that  Marriott  informed  a
        number  of other regulatory and law enforcement agencies.
7.45.  I i acknowledged      that the steps  outlined  above  will have  gone
        some  way  to reassuring  Marriott’s customers,    and  therefore  may
        have  reduced  or mitigated    any  distress  caused  by the  breach.
        However, the fact that the Marriott call centre received 57,000 calls
        between 30 November      2018 and 31 May 2019 (7,500 of these being
        calls to EU-based  call centres)?!’ i indicative of the level of concern
        amongst    affected  data  subjects  on  learning  of the  breach  and
        subsequently.1!®
116 Marriott’s First Representations, para 3.4.
117 Marriott’s Second Representations, para 2.7(b)(ii).
118 Contrary to para 2.7(a)(b)(i) of MarriottRepresentations, i i not being suggested that
all of those who called Marriott’s call centre were suffering from distrbut i i likely
                                                                                627.46.  Contrary to Marriott’s submissions,!+9 the fact that very few of these
        calls  were  escalated    internally  or  resulted  i  a complaint      i
        irrelevant. The information    provided  by Marriott suggests    that call
        handlers had FAQs available to advise customers on how to respond
        to the breach etc, which was presumably        intended to address most
        situations arising.!2° Thus,    the fact that only a certain number      of
        individuals had their calls escalated / resulted i a complaint does
        not provide  any  real indication  of the extent to which    individuals
        were distressed or harmed      by the loss of their data.
7.47.  Marriot also relied i this regard on a claim that the Commissioner’s
        findings of distress and harm    were materially undermined      because
        the centre only received    57,000  calls when  millions of individuals
        were affected by the breaches.!*! However, i circumstances where:
        (a)  Marriott  had  established    a dedicated    website  to  address
        concerns;  and  (b) individuals  may  have  sought  advice  from  third
        parties and/or acted on their own      knowledge    and experience,    the
        comparison    between    these  figures  does    not  undermine      the
        Commissioner’s findings. The number        of calls i sufficiently large to
        suggest that there were data subjects who were concerned.
7.48.  Thus, while the Commissioner        has taken  into account,  as outlined
        below,  the steps taken    by Marriott to mitigate    the impact    of its
        breaches  of the GDPR,    she  remains  of the view  that those  actions
        would not have    immediately neutralised all the concerns on the part
        of data subjects about their data being i the hands of criminals /
        outside of Marriott’s control.
7.49.  Having    regard  to  the  mitigating    factors  set  out  above,  i i
        appropriate to reduce the £28 million penalty by 20%,        i.e. to £22.4
        million.
7.50.  As a result of the Covid-19 pandemic,      Marriott has also argued that
        any penalty should    be reduced  because of the financial hardship      i
        would cause.
7.51.  The  Commissioner    has considered    Marriott’s representations,    and
        the evidence  i has provided. Although the Covid-19        pandemic  has
that - as stated here - the majority of callers were at least sufficiently concerned to make the call,
which i inconsistent with Marriott’s position that no or only trivial harm at all would have arisen.
119 Marriott’s Second Representations, para 2.7(b)(iii).
120 Marriott’s Second Representations, para 2.7(b)(iii).
121 Marriott’s Second Representations, para 2.7(b)(iv).
                                                                                  63        had  a significant impact  on Marriott’s revenues,    Marriott’s overall
        financial position i such that the Commissioner        does not consider
        that the imposition    of a penalty  i the range    being  proposed  will
        cause financial hardship, or that Marriott will be unable to pay such
        a penalty.
7.52.  However,  the Commissioner      has published  guidance  entitled “The
        ICO’s  regulatory  approach    during  the  Coronavirus    public  health
        emergency”.'?2    That  guidance    indicates  that “As set out in the
        Regulatory Action Policy, before issuing fines we take into account
        the economic    impact  and affordability.  In current circumstances,
        this is likely to mean the level of fines reduces.” While  the proposed
        penalty  will  not  cause    financial  hardship    for  Marriott,  the
        Commissioner    considers  i appropriate  to reduce  the penalty that
        would  otherwise  have  been  imposed,  i light of the current public
        health  emergency    and  associated  economic  consequences.    This i
        addressed  below, separately from Step 5.
7.53.  The Commissioner      has carefully considered    Marriott’s submissions
        that there  are other additional    mitigating  factors that should    be
        taken into account i this case.!23 However, none of the points raised
        justify a further  reduction  of the appropriate    penalty  beyond  the
        discount set out above. In particular:
            The Commissioner      does not consider i appropriate to further
            reduce the penalty by reference to costs to Marriott of taking
            measures    to rectify or mitigate the impact of its infringement,
            including the cost establishing a bespoke      website, call centre,
            web  monitoring,  the enhancement      of Marriott’s data  subject
            rights programme,    and any other customer-facing      remediation
            activities. The fact that Marriott was required to expend    a large
            amount  - on Marriott’s assessment    i excess of $50 million+
            - i    customer-facing    remediation    activities  i  not  directly
            relevant to the amount of any penalty. The fact that mitigating
            measures were taken, i accordance with Marriott’s obligations
            as a controller, has already been taken into account.
122 Version 2.1, 13 July 2020.
123 Marriott’s First Representations, para 3.13(c).
124 Marriott’s First Representations, paras 3.4(a) and 3.13(c)(vi).
                                                                                64            Marriott’s  preparations    for  the  introduction  of  GDPR    are
            noted.!2°  However,    these do not address      the Commissioner’s
            conclusions    on  Marriott’s  failure to  implement    appropriate
            security measures    i relation to the systems      i acquired  from
            Starwood.
            The  Commissioner    has  recognised  that  the Attack    involved
            persistent criminal activity.17© But this does      not alter the fact
            that the security    of Marriott’s  network  was  inadequate    i a
            number    of respects, and that those failings could and should
            have  been  addressed    on  a prospective    basis  through    the
            implementation      of  appropriate    measures.    I  i  Marriott’s
            breaches  of Articles 5(1)(f) and 32 GDPR      for which  i i being
            penalised, not the actions of third parties.
            The  security  measures    that were  deployed    on the Starwood
            security environment    and on the Starwood      Guest  Reservation
            Database    are  noted.!?”  However,    the  existence    of  these
            measures    do not detract from the Commissioner’s        conclusions
            on  Marriott’s  failure  to  implement    appropriate    security
            measures    (see section    6). That  Marriott took some      steps to
            secure the Starwood system i not considered to be a mitigating
            factor i the circumstances of an infringement of this scale and
            severity.
7.54.  Accordingly,    having  carefully  considered    the  mitigating  factors
        raised  by Marriott,  which  are relevant  to the assessment      of the
        appropriate  level of any    penalty,  the overall  penalty  payable    by
        Marriott after Step 5 i £22.4 million.
        Application of Covid-19    Policy
7.55.  As described    above,  having  regard  to the impact    of the Covid-19
        pandemic    (on Marriott and more      generally), and consistently with
        the  Commissioner’s      published  guidance,    a further  reduction  i
        appropriate    and  proportionate.    The  final  penalty  payable  will
        therefore be reduced to £18.4 million.
125 As relied upon at paras 3.13(c)(iii) of Marriott’s First Representations.
126 Marriott’s First Representations, para 3.13(c)(iv).
127 Marriott’s First Representations, para 3.13(c)(i)-(ii).
                                                                                  65        Application of the fining tier(s) (Articles 83(4) and (5) GDPR)
7.56.  The infringement of Article 5(1)(f) GDPR falls within Article 83(5)(a)
        GDPR,    whereas    Article  32  falls within  Article  83(4)(a).  The
        appropriate tier i therefore that imposed      by Article 83(5)(a) as this
        i the gravest breach i issue i this case.
7.57.  In any event, for the year ended      31 December      2017  Marriott has
        confirmed  that its relevant    worldwide  annual  turnover  i $4.997
        billion. The  penalty  the Commissioner      has decided    to impose  on
        Marriott i the sum    of £18.4 million. This i considerably less than
        4%, indeed considerably less than 1%, of Marriott’s total worldwide
        annual  turnover,  and  accordingly  well within the cap imposed      by
        Article 83(5) GDPR.
Marriott’s other representations          on the decision to impose        a
penalty    and the appropriate        Penalty amount
7.58.  Marriott’s  Representations      contained    detailed  submissions    i
        response to: (a) the Commissioner’s decision to impose a penalty at
        all; and (b) the proposed    penalty amount, as indicated i the Notice
        of  Intent.  The  Commissioner      has  carefully  considered    those
        submissions and, to the extent they have not been addressed above,
        responds to them    below.
7.59.  In summary,    Marriott submitted as follows:
        a.  First, the Commissioner misapplied Article 83(2) i deciding to
            impose    a fine  and  in determining    the  appropriate  level  of
            penalty. A proper application of that Article should result i no
            fine being imposed    at all or, i the alternative, i should result
            i the imposition of only a low level of penalty;!2°
        b.  Second,    the Commissioner      unlawfully applied an unpublished
            internal  document,    entitled  “Draft  Internal  Procedure    for
            Setting  and    Issuing  Monetary    Penalties”,  i  setting  the
            proposed  penalty on Marriott which was included i the NOI.+29
            However,    setting a proposed    penalty amount without the Draft
128 Marriott’s First Representations, Executive para 8 and Section 3; and Marriott’s Second
Representations, Section 2.
129 Marriott’s First RepresentatExecutive Summary,para 9(a) and paras 4.2-4.12, 4.14(e),
4.19,
                                                                                  66              Internal Procedure (or similar), as the Commissioner          did i the
              draft decision, also offends the principle of legal certainty.1*°
        c    Third, the Commissioner        erred  by relying on turnover as the
              sole metric i determining the level of fine proposed i the NOI,
              and i continuing to treat turnover the most important factor i
              its quantification analysis i the draft decision;+3!
        d.    Fourth,  the Commissioner      has applied  the wrong    fining Tier
              under Article 83 GDPR    i calculating the proposed fine;+%
        e.    Fifth, the Commissioner      erred  in the NOI  by applying  an uplift
              to ensure an appropriate deterrent effect; 17?
        f    Sixth,  the    Commissioner      breached    Marriott’s  legitimate
              expectation that she would operate her fining powers under the
              GDPR  i accordance with past precedents, i.e. decisions made,
              under the DPA 1998 and/or only applying incremental increases
              to the fines that would have been imposed        under the 1998 Act
              (which was subject to a £500,000      maximum    fine limit).1*4 This
              same  failure, which  Marriott described    as a failure to comply
              with the “Precedents-Based Approach”,          i also said to amount
              to a breach of the principle of legal certainty.1*° In its Second
              Representations,    i particular,  Marriott  contends  that  i the
              absence    of any  new    guidance    providing  clear  and  specific
              quantification  methodology    determining    how  fines are to be
              calculated,  any  decision  to issue  a fine would      breach  that
              principle.17©  In this regard Marriott also relies on a comparison
              with a case    decided  by the Financial    Conduct    Authority  (the
            “FCA”)    i respect of Tesco Bank.'?” I also relies on an alleged
              inconsistency  between    the penalty    proposed  i this case and
              those  imposed      through    other    decisions    issued    by  the
130 Marriott’s Second Representations, Executive summary, para 1 and paras 1.1-1.5.
131 Marriott’s First RepresentatiExecutive Summary,  para 9(b), and paras 4.14-4.15and
Marriott’s SeconRepresentations, paras 1.35-1.38.
132 Marriott’s First Representations, Executive Summary, para 9(b), and paras 4.16-4.17.
133 Marriott’s First Representations, paras 4.24-4.30
134 Marriott’s First Representations, Executive Summary, para 9(c), and paras 4.36-4.41; Marriott’s
135 Marriott’s First RepresentatiExecutive Summary,d para 9(c), and paras 4.50-4.73and
Marriott’s SeconRepresentationsExecutive Summary, para 1, and para 1.1.
136 Marriott’s Second Representations, Executive Summary, para 1 and paras 1.6-1.11.
137 Marriott’s First Representations, paras 4.3and Marriott’s SeconRepresentationsparas
1.26-1.27
                                                                                    67            Commissioner        and      by    other    European      supervisory
            authorities.+#8
        g.  Seventh,    the Commissioner      has  acted  contrary  to the RAP
              because she has failed to calculate the penalty proposed        i the
              NOI and the draft decision i accordance with its terms;+79 and
        h.    Eighth, the Commissioner proposed a penalty i the NOI            which
              i disproportionate on its face NOI, and the revised penalty set
            out i the draft decision remains disproportionate.14°
        (1) Application of Article 83(2)
7.60.  The Commissioner      has described    at paragraphs    7.3-7.53  how  the
        factors listed i Article 83(2) apply to the facts of this case. In its
        Representations,    Marriott criticised the Commissioner’s      findings i
        this regard. Where    necessary those criticisms have been addressed
        at each step of the analysis set out above and/or i Section 6 above.
        (2) Draft Internal Procedure
7.61.  Prior  to  issuing  the  NOI  i  this  case,  the  Commissioner      had
        developed a Draft Internal Procedure for calculating proposed fines,
        as a supplement to the RAP. Its purpose was to provide an indicative
        guide,  by reference    to the turnover    of the controller,  as to the
        appropriate  penalty. As the GDPR      i a new    regime, this additional
        tool was  intended to assist the decision-makers        i applying Article
        83 GDPR    and the RAP to the facts of a particular case.
7.62.  Marriott    made    detailed    submissions    on    this  issue.‘4+  The
        Commissioner    has considered those submissions i deciding how to
        approach    the calculation of the penalty to be imposed        i the draft
        decision, and ultimately i this Notice.
7.63.  The Commissioner      remains of the view that the controller’s turnover
        i a relevant consideration      i determining    the appropriate    level of
        penalty  (see below),    but she has decided      that the Draft Internal
        Procedure should not be used. Therefore, i deciding the appropriate
138 Marriott’s Second Representations, Executive Summary, para paras 1.12-1.19.
139 Marriott’First Representationsparas4.42-4.49; and Marriott’s SecondRepresentations,
Executive Summary,para 2, and paras 1.32-1.34.
140 Marriott’s First RepresentatiExecutive Summary, para 9(d), and paras 4.74-4.77,and
Executive Summary,para 1, and paras 1.39-1.41 of Marriott’s SRepresentations.
141 See paras 4.2-4.12 of Marriott’s First Representations and parag1.2-1.5 of Marriott’s
Second Representations i particular.
                                                                                  68        penalty i this case the Commissioner        has not relied on the Draft
        Internal Procedure    (she did not rely upon i for the purposes of her
        draft decision, and the same approach was adopted i preparing this
        Penalty  Notice).  She  has instead  relied only on Article 83 GDPR,
        section 155 DPA and the RAP. The approach taken to the calculation
        of the penalty for the purposes of this Notice i set out above.
7.64.  Marriott i wrong to assert that, but for its pressing for disclosure i
        correspondence,    the Commissioner      would  not have  disclosed  the
        draft guidance  document.!42 The    policy was  provided  on 2 August
        2019  i response to a request made      i a letter from Marriott dated
        24 July 2019. The NOI set out how the penalty was arrived at. The
        Commissioner    also  provided  further  information  about  how    the
        penalty  was    calculated  i  her  letter  of  17  July  2019.    The
        Commissioner i obliged to consult the controller on the NOI and she
        did so. Marriott took the opportunity to make      detailed submissions,
        and    the  Commissioner      has  carefully  considered    all  those
        submissions, and acted upon them to address the concerns raised.
7.65.  Marriott’s  First  Representations    also  criticised  the  use    of  a
        percentage range as part of its process for calculating the proposed
        penalty (applying    the Draft Internal Procedure)    and/or the way    i
        which the Commissioner      applied the turnover bands at the NOI.147
        As this approach    has not been adopted      i this Notice, nor has the
        Draft Internal Procedure    been applied, the Commissioner      does not
        respond to the individual points made      by Marriot on the application
        of the Draft Internal Procedure further here.
7.66.  In  its  Second    Representations,    Marriott  states  that  whilst  i
        welcomes    the fact that the Draft Internal      Procedure  i no longer
        relied upon by the Commissioner,      (a) the Commissioner cannot rely
        upon  the £99.2m    figure proposed    in the NOI as a reference      point
        when    assessing  the  legality  or  proportionality  of the    present
        proposed    penalty  figure;!**  (b)  the  RAP  cannot  constitute  an
        adequate    basis for the calculation    of a penalty    i circumstances
        where the Commissioner      had previously devised the Draft Internal
        Procedure;!*° and (c) i the absence of the Draft Internal Procedure,
        there  i  a  lack  of  clarity  governing    penalty  calculation  and
142 Marriott’s Representations, paras 4.2 and 4.8.
143 Marriott’s Representations, paras 4.19-4.23.
144 Marriott’s Second Representations, para 1.3.
145 Marriott’s Second Representations, para 1.4.
                                                                                  69        undermines  legal certainty.!*© These points are not accepted for the
        following reasons.
7.67.  First, the Commissioner  does  not seek to use the figure of £99.2m,
        as proposed  i the NOI, as a “reference point” for the penalty set i
        the draft decision, or the present penalty. Rather, the Commissioner
        carried out a fresh calculation exercise having regard to the factors
        listed under Article 83 of the GDPR    and the RAP. See further para
        7.128  below.
7.68.  Second,  the Draft Internal  Procedure  was  not developed    to ‘cure’
        any gap i legal certainty left by the RAP. I was intended to be a
        helpful  supplement    to  the  RAP  for  internal  decision-making
        purposes. In deciding what level of penalty may (at the consultation
        stage) or i appropriate    i this case, the Commissioner    has always
        applied the approach set out i the RAP, and considered the factors
        under Article 83 GDPR.    The fact that a document    was  created  to
        provide supplemental    detail to the RAP does not render the RAP so
        deficient so as to prevent a penalty being calculated      i this case.
        Marriott’s submissions    on  legal certainty  are addressed    i more
        detail below.
        (3) The Commissioner’s    reliance on Marriott’s turnover
7.69.
        Marriott advanced    a number    of criticisms  of the Commissioner’s
        reliance on turnover i calculating her proposed      penalty in its First
        and Second Representations (see, for example, para 4.14 of its First
        Representations).
7.70.  First, Marriott submitted that the only metric the Commissioner used
        to calculate the penalty proposed    i the NOI was turnover. This i
        incorrect. As i clear from the NOI itself, while turnover was    used as
        a starting point in seeking to assess the appropriate penalty, a range
        of other relevant factors were considered i accordance with the RAP
        and the GDPR.    In any event, the turnover-bandings      set out i the
        Draft Internal Procedure has not been used i preparing this Notice.
7.71.  Second,  Marriott submitted  that turnover cannot be regarded      as a
        core metric  i a case such    as this where  the wrongdoer    has not
        profited from  the breach.  Marriot claimed  that there  i no logical
        relationship between  the breach and the controller’s turnover. The
146 Marriott’s Second Representations, para 1.5.
                                                                              70        Commissioner’s      approach,    Marriott  said,  simply  punishes    a
        controller  for being  a large  undertaking.    Marriott  compares    the
        penalty  proposed    i  this  case  to the    Commissioner’s    decision
        regarding  Doorstep  Dispensaree    Ltd, dated  20  December    2019,
        suggesting  that  this shows    that  the  Commissioner      i  treating
        turnover, unjustifiably, as the most important factor.**’
7.7/2.  The Commissioner    does not accept these arguments.      She considers
        turnover  to  be  a  relevant  consideration    i  determining    the
        appropriate  level of penalty i this case (as well as i other cases
        not involving a controller profiting from a breach), for the following
        reasons:
        a.  A turnover-based    approach    i consistent  with  the approach
            taken to penalties i the GDPR.      The Data  Protection  Directive
            did  not  prescribe  the  level  of  fines  that  Member    State
            authorities should impose for data breaches. The GDPR departs
            from  that approach.    In doing  so, i expresses    the maximum
            penalty  in terms  of a percentage    of turnover.  Turnover    i
            therefore a relevant factor i determining the appropriate level
            of penalty to be imposed. This i also reflected i the Recitals,
            which make clear that the economic position of the controller i
            relevant even where the controller i a private person and not
            an undertaking:    “  Where administrative fines are imposed on
            persons that are not an undertaking, the supervisory authority
            should  take  account  of the general    level of income    in the
            Member    State as well as the economic situation of the person
            in considering the appropriate amount of the fine.”
        b.  Further,  and  i any    event,  the  Commissioner    i obliged  to
            ensure that any penalties imposed are “effective, proportionate
            and dissuasive”.  Having  regard to a data controller’s turnover
            complies  with this principle  by ensuring  that the level of any
            penalty  i not only proportionate,      but i also likely to be an
            effective and dissuasive deterrent for the undertaking on which
            i i imposed, and other equivalent controllers. I i self-evident
            that  imposing  the  same    penalty  on  an  undertaking  with  a
            turnover of billions of pounds as would    be imposed    on a small
            or medium    sized business would not be effective, proportionate
            or dissuasive.  Comparable    regulatory  regimes  that share the
            GDPR’s  emphasis    on deterrence,    such  as under    competition
147 Marriott’s Second Representations, paras 1.36-1.37.
                                                                                71            law, also take turnover into account i i some form in setting
            penalties.
        c    Marriott’s claim that the introduction of the maximum        amount
            safeguard  caps i Articles 83(4)    and  (5) does  not mean    that
            turnover can be treated as a relevant metric i incorrect, for the
            reasons articulated i points (a) and (b) above.!*° In particular,
            Marriott’s  claim  that treating  turnover  as a relevant    metric
            “outside  of disgorgement      of profits  cases  is illogical and
            perverse”,  does  not withstand    scrutiny. I i plain from      the
            relevant  provisions  of the GDPR,    read  as a whole,    that the
            economic    position  of a controller    i one    relevant  factor  i
            determining what penalty i appropriate on the particular facts
            of any case. The GDPR    does not limit the relevance of turnover
            to cases involving disgorgement.
        d.  As to the    decision  i Doorstep,    the difference  between    the
            turnover of that controller and    Marriott i obviously    relevant.
            However,    each  case  i  considered    on  its individual  facts.
            Marriott’s attempts to compare the number of records involved,
            and then scale up the appropriate      level of fine (60 times the
            number of records, results i a maximum        60 times higher level
            of fine),  are  misconceived.    See  further  paras  7.116-7.119
            below.
7.73.  Third,  Marriott  submitted    that  any  penalty  regime  engages    the
        fundamental    rights of controllers, including their fundamental    right
        to property  as provided    for under  Article 1 of Protocol    1 of the
        European    Convention  on  Human    rights,  and  Article 17  of the  EU
        Charter  of Fundamental    Rights.149  The  Commissioner      recognises
        that i imposing a penalty on a controller, she must comply with any
        relevant fundamental    rights that are engaged,    including under the
        ECHR or the EU Charter. However,      i i not accepted that taking into
        account  a controller’s  turnover    i  determining    the  appropriate
        penalty i incompatible with those rights because        i i arbitrary or
        results  i grossly  disproportionate    levels of penalty    (as Marriott
        contended    at para  4.14(c)  of its First Representations).    I i an
        approach that complies with the regime established by the GDPR.
148 Marriott’s First Representations, para 4.14(d).
149 Marriott’s First Representations, para 4.14(c).
                                                                                127.74.  Fourth,  Marriott  contended    that  the  turnover    approach _ i
        inconsistent with the RAP.!°° This i incorrect.
7.75.  As explained  above, the calculation of the proposed      penalty i the
        NOI was  not exclusively based    on turnover,  contrary to Marriott’s
        claim. I took account of the various factors discussed        i the RAP.
        This Notice addresses each step of the process of the RAP in turn to
        make  even clearer that the penalty has been set i accordance with
        its terms. Turnover  i relevant to establishing whether a penalty i
        appropriate,  proportionate, effective and dissuasive i applying the
        steps set out in the RAP, as explained above.
7.76.  Moreover,  Marriott’s reliance in this regard  on reference  in the RAP
        to  circumstances    i  which  the  Commissioner      will convene    an
        advisory panel i misplaced.1>! The RAP describes “very significant”
        penalties as those “expected to be those over the threshold of 1M”
        i that particular context, i.e. the context i which the Commissioner
        may  convene  an advisory panel. This was not intended to be - and
        i any event cannot objectively be read as giving - an indication to
        controllers of the likely penalty they may face i the event of a data
        breach,  particularly in light of the provisions  of GDPR.  The  section
        of the RAP setting out how penalties will be calculated does not refer
        to the concept of “very significant” penalties at all.
7.77.  Consequently,  the RAP’s discussion of when    an advisory panel may
        be convened    i no basis for saying that turnover      i not a relevant
        factor i determining    penalty. Marriott was also therefore wrong      to
        claim in its Representations  that: (a) the £1million figure referred to
        i the discussion    of when    an advisory  panel  may  be appropriate
        should be the starting point for calculating fines i the most serious
        and  significant  cases  before  the  Commissioner;1>*    and  (b)  the
        Commissioner    must justify imposing    any fine above that threshold
        figure. This i a misreading of the RAP, see further below.
7.78.  Firth, Marriott contended    that what the Commissioner      should  have
        done  i quantifying    the appropriate  penalty was to “(a) start with
        what an infringement of this nature is objectively worth in penalty
        terms having regard to its nature, gravity and duration, irrespective
        of the financial stature of the wrongdoer;    then (b) add or take away
150 Marriott’s First Representations, para 4.14(f).
151 Page 26 of the RAP. See also para 4.46 of Marriott’s First Representations.
152 Marriott’s First Representations, para 4.46.
                                                                                13        amounts    to reflect respectively aggravating and mitigating factors;
        before moving at the final stage of the analysis to (c) the question
        of whether,  in view of all the circumstances,    some  increase  in the
        penalty is required to ensure a deterrent effect.”'>?
7.79.  The Commissioner’s    approach    i set out above. She has considered
        each step of the RAP, and a of the factors listed i Article 83 GDPR,
        i order to arrive at the overall appropriate penalty. Given that the
        financial  stature  of the wrongdoer      would  need  to be taken    into
        account at least i considering whether an increase i fine would be
        necessary to secure a deterrent effect, i i not clear that adopting
        the  alternative  structure  proposed    by Marriott  would  make    any
        material difference to the outcome.
        (4) The appropriate    tier
7.80.  In response to the NOI, Marriott submitted        that the Commissioner
        had applied the wrong fining tier. I was said that the Commissioner
        incorrectly  categorised    the  breaches    i  issue  as  a  Tier  2
        infringement, allowing for a maximum      fine of 4% of turnover.!>4 This
        submission was based, i summary,          on the following points:
        a.  Article 5(1)(f)  i simply  a shorter,  summary    version,  of the
            more  detailed  and  specific obligation  i Article 32. Article 32
            GDPR    therefore amounts    to the /ex specialis of Article 5(1)(f)
            and should therefore take precedence.
        b.  The maximum      fine should  be 2%  in this case because:
            i    Any    ambiguity    in the  wording    of a  provision  of law
                  imposing a civil penalty should be resolved i favour of the
                  controller.
            i    |The wording of Article 83(4) makes clear that the intention
                  was  to impose    this lower maximum      cap for breaches    of
                  Article 32, which i the /ex specialis.
7.81.  The  Commissioner    does  not  accept  these  submissions,    for the
        following  reasons.
153 Marriott’s First Representations, para 4.15.
154 Marriott’s First Representations, paras 4.16-4.17.
                                                                                  747.82.  First, the GDPR addresses expressly what the appropriate maximum
        fine should  be when    a controller breaches    the “basic principles of
        processing” under    Article 5 GDPR. Article 5(1)(f), as one of the basic
        principles of processing, cannot be dismissed as simply a summary
        of a later new provision included i the GDPR. The EU legislature has
        made  i clear that a higher penalty i appropriate where a controller
        i found    to have  breached    the basic principles of processing      that
        underpin    the  regime.  Contrary  to Marriott’s  submissions,    Article
        83(5)(a)  provides  i clear i explicit and unambiguous        terms that
        4%  i the appropriate cap for breaches of Article 5, including Article
        5(1)(f).
7.83.  Second,    the  GDPR    also  recognises    that  the  same    or  linked
        processing    operations  may  give  rise to infringements    of several
        provisions of that Regulation. I addresses this by making clear that
        the total amount    of any penalty i to be the subject of the amount
        specified for the gravest infringement (see Article 83(3)).
7.84.  Third, the principle of /ex specialis means      that “where a legal issue
        falls within the ambit of a provision framed in general terms, but is
        also  specifically  addressed    by  another    provision,    the  specific
        provision  overrides  the  more  general  one.”!>>  The  Commissioner
        does  not accept that the application      of the /ex specialis    principle
        precludes  the Commissioner      from  treating  this case  as a Tier 2
        infringement.
7.85.  Article 5(1)(f) and Article 32 are evidently distinct provisions of the
        GDPR,  notwithstanding the degree of overlap. Article 32 applies to
        processors,    whilst  Article  5 does    not.  Contrary    to  Marriott’s
        submission,    there  i  no  basis  upon    which  to  give  Article  32
        precedence    over Article 5(1)(f). They can be applied to controllers
        at  the  same    time:  Article  32  does    not  override  the  basic
        requirements    laid down  in Article  5(1)(f),  read  with  Article  5(2),
        which establish the responsibility of the controller for demonstrating
        compliance    with  the  security  obligation  and  any  breach    of that
        principle.
7.86.  Further, and in any event, the provisions in Article 83(4)        and Article
        83(5)  are  distinct  provisions  which  make    explicit  provision  for
155 R (Hallam) v Secretary of State for Justice [202 at [144]. See also Case T-60/06 RENV
I Italy v Commissio(2016), at [81].
                                                                                  15        different fining tiers to apply to breaches of Articles 5 and 32 GDPR.
        I i clear that any infringement of Article 32 falls within the scope
        of Article 83(4) whilst an infringement of Article 5(1)(f) falls within
        the scope  of Article 83(5). Article 83(4)  i not more    specific than
        Article 83(5). I i incapable of overriding or taking precedence over
        i  Rather,  any  issue  as to which    maximum      penalty  applies  i
        resolved  by the application    of Article 83(3)  which  states i terms
        that i these circumstances “the total amount of the administrative
        fine  shall  not  exceed    the  amount    specified  for  the  gravest
        infringement.”  The  legislation itself provides  the  mechanism    for
        addressing  circumstances    i which  processing  engages  more  than
        one obligation.
7.87.  The Commissioner notes that her interpretation of Articles 83(4)-(5)
        i supported    by the Article 29 Working      Party’s Guidelines  on the
        application  and  setting  of administrative  fines for the purposes    of
        the GDPR,  which  states:
          Specific infringements    are not given    a specific price tag in the
          Regulation, only a cap (maximum      amount).  This can be indicative
          of a relative lower degree    of gravity for a breach    of obligations
          listed in article 83(4),  compared    with  those  set out in article
          83(5).  The effective, proportionate    and dissuasive reaction to a
          breach of article 83(5) will however depend on the circumstances
          of the case...
          The  occurrence    of several  different  infringements    committed
          together in any particular single case means      that the supervisory
          authority is able to apply the administrative fines at a level which
          is effective, proportionate  and dissuasive    within the limit of the
          gravest infringement.    Therefore,  if an infringement    of article 8
          and article 12 has been discovered, then the supervisory authority
          may be able to apply the corrective measures as set out in article
          83(5)    which  correspond    to  the  category    of  the  gravest
          infringement, namely article 12....1°°
7.88.  Fourth, i any event, Marriott’s main objection to the use of the 4%
        maximum    penalty appears to be its impact on the turnover-bands
        applied  under  the Draft Internal    Procedure,  which  was  applied  i
        calculating the proposed  fine included i the Notice of Intent. As this
156 Pages 9-10.
                                                                                16        approach    has  not been  adopted    i determining    the final level of
        penalty to be imposed      by this Notice, the same      concerns    do not
        arise. I i noted that the final penalty imposed      i well below the 2%
        cap, and so the application of that cap i reaching the final decision,
        as opposed  to a 4%  cap, would have made      no difference.
7.89.  Marriott  also  asserted    i    a  single  paragraph    of  its  First
        Representations that the Commissioner’s approach to quantification
        i “wholly arbitrary”.'°’ This i not accepted, either as a criticism of
        the NOI  or this Notice.    I appears    that this argument    rested  on
        Marriott’s contention    that there are no clear and      precise  rules i
        place governing the setting of the penalty by the Commissioner. This
        claim i addressed    below.
        (5) An uplift to ensure a deterrent effect
7.90.  Marriott  claimed    that  the  proposal  i  the  NOI  to increase    the
        proposed  penalty for the infringement      to 2.5%    to ensure    that i
        would    have  a  sufficient  deterrent    effect  was    arbitrary  and
        unlawful.1°° This i not accepted.      The  Commissioner    i obliged  to
        consider whether such an uplift should be made        under the RAP and
        Article 83 GDPR.
7.91.  Marriott's  criticisms of the  NOI  in this regard  relied  heavily  on  its
        criticisms of the previous use made of the Draft Internal Procedure’s
        turnover-based    approach    i setting  the proposed    penalty  at that
        stage.'°°? These  points have been addressed      above.  I i  however,
        important to note that para 61(d) of the NOI explained that i the
        light of the  scale  and  severity  of the  infringement    and  factors
        discussed i para 61(a)-(c), a penalty of between        1.5 and 2% would
        be  appropriate    and  proportionate.  Para  61(f)  then  went  on  to
        consider what an appropriate uplift would      be to ensure a deterrent
        effect,  which  was  a separate    issue  that  warranted    individual
        consideration  at a later stage of the analysis. These      are separate
        steps under the RAP (see Section 2 above). I i therefore incorrect
        to assert, as Marriot did, that any uplift from the judged          starting
        point  means    that  the  Commissioner:      “is knowingly    imposing    a
        disproportionate penalty sum. °°
157 Marriott’s First Representations, para 4.18.
158 Marriott’s First Representations, para 4.24.
159 Marriott’s First Representations, paras 4.25-4.30.
160 Marriott’s First Representations, para 4.25.
                                                                                  ae7.92.  In any event,  as set out above  under  Step 4, no additional  amount
        has been  added  in this case for deterrent effect.
        (6) Legitimate Expectation and Legal Certainty
        The alleged legitimate expectation
7.93.  In  response  to the    NOI  and  draft  decision,  Marriott  relied  on
        selective quotes from public statements made        by the Commissioner
        or her office about the new GDPR    regime to contend that fines under
        the GDPR    should  be set i accordance      with  past precedents,    i.e.
        decisions  made    under  the DPA  1998.'6!  What  Marriott  seeks,  i
        effect, i for the Commissioner      unilaterally to impose  the previous
        domestic cap and approach to fines which applied i the UK prior to
        the harmonised    regime under the GDPR.
7.94.  Plainly i i not open to the Commissioner,        as a matter of domestic
        or EU law, to adopt unilaterally an approach      that would  undermine
        the object and purpose of the new EU regime.
7.95.  The  GDPR,  and  consequently    the  DPA,  represent  a significant
        departure from the regime under DPA 1998 and the 1995 Directive.
        The GDPR    was expressly intended      to harmonise    the rights of, and
        protections  afforded  to, data  subjects  across  the  EU.  I differs
        markedly    from  the  1995  Directive,  most    obviously  i  that  i
        introduces  significantly higher  and  more  effective  penalties,  with
        maximum    penalties defined expressly by reference to turnover. The
        GDPR  also imposes    new  obligations  on controllers,  including  new
        organisational  requirements    such  as the    designation  of a data
        protection  officer  and  new    provisions  on  the  lawfulness  of
        processing. The GDPR      and the DPA    have significantly changed    the
        legal landscape i data protection and enforcement.
7.96.  Marriott’s submissions are to the effect that public statements made
        by the Commissioner      override these changes,      and  as such  she i
        bound to apply i effect the DPA 1998 and/or only apply incremental
        increases to the level of fine that would have been issued under that
        Act. Public statements made by the Commissioner or her staff, which
        are i any event quoted selectively and/or taken out of their proper
        context by Marriott, are incapable of achieving this outcome.
161 Marriott’s First Representations, paras 4.37-4.41. See also Marriott’s First Representations, paras
4.65-4.66, see also Marriott’s SRepresentations, para 1.28-1.31.
                                                                                187.97.  More specifically, the public statements referred to by Marriott i its
        Representations  were  not intended  to be - and cannot objectively
        be read as - assurances      to any controller that the Commissioner
        would  not use  her powers    on a case    by case  basis, to impose
        effective, proportionate    and  dissuasive  penalties  i  appropriate
        cases.  Marriott disputes this, however, the Commissioner maintains
        her position for the following  reasons:
        a.  Marriott refers to a blog post published    by Elizabeth  Denham
            on 9 August 2017.1      Whilst i i true that the post states that
            the Commissioner    will not “simply scale up penalties” issued
            under the DPA    1998, i also states: “Don’t get me      wrong,  the
            UK  fought  for increased  powers  when  the GDPR    was  being
            drawn  up. Heavy  fines for serious breaches    reflect just how
            important personal data is in the 21°* century world. We intend
            to use those powers proportionately and judiciously.”
        b.  Marriott refers to a speech made    by James Dipple-Johnstone at
            the Data Protection Practitioner’s Conference on 9 April 2018,/°
            however    the  quotation  which    Marriott  selectively  cited  i
            preceded  by a summary      of the approach    the Commissioner
            intended to take, including “we will look at each case on its own
            merits. We'll look at the features and context of each case. And,
            this is important, we will focus on area of greatest risk to people
            - potential or actual harm...    The more    serious,  high impact,
            deliberate,  wilful or repeated  breaches  can expect    the most
            robust response.”
7.98.  There i nothing within these quotations which can be read as giving
        rise to a legitimate expectation that the Commissioner would either:
        (a) issue fines i accordance with the previous maximum        limit which
        applied  under  the DPA  1998  and/or  past cases  issued  under that
        Act; or (b) only apply incremental increases to the level of fine that
        would  have been imposed    under the DPA 1998.16 As made        clear i
        the  blog  and    speech    to  which    Marriott  has    referred,  the
        Commissioner    had always been clear that she would (in accordance
        with her obligations) use her full powers ona case by case basis, to
162 Marriott’s Second Representations, para 1.29(a).
163 Marriott’s Second Representations, para 1.29(b).
164 Marriott’s Second Representations, paras 1.30-1.31.
                                                                              19        impose    effective,  proportionate    and    dissuasive    penalties  i
        appropriate cases, which includes the possibility of large fines.
7.99.  Marriott  accepted    i    its  Second    Representations    that  the
        Commissioner      i  not  constrained    by  the  previous    statutory
        maximum    of £500,000.'©    But i practice, its attempt    to limit the
        Commissioner to only making      incremental increases to the fine level
        that would  have applied under the DPA 1998 amounts          to the same
        thing. The starting point i the application of Article 83 GDPR,          the
        DPA 2018 and the RAP. I i not what the decision would have been
        under a superseded    legal regime.
        The alleged lack of legal certainty
7.100. As set out above, the Commissioner          recognises that i imposing      a
        penalty  on  a controller,  she  must    comply  with  any  relevant
        fundamental    rights that are engaged,    including under the ECHR      or
        the EU Charter.    She  does  not accept,  however,  that the penalty
        regime    applicable  under,  i  particular,  Article  83  GDPR    lacks
        sufficient certainty such that i cannot be lawfully applied. That i i
        effect Marriott’s  case.  I contends    that unless  the Commissioner
        applies  a precedents-based      approach    based  on  decisions  made
        under the DPA 1998, i i impossible for the Commissioner            to meet
        the requirement of legal certainty.1®
7.101.  The  DPA  reflects  the  directly  applicable  EU  law  framework    for
        determining    penalties.  The  Commissioner    does  not  agree  with
        Marriott that Article 83 GDPR or section 155 DPA are so unclear that
        they  are  unlawful.  Taken  together,  those  provisions  specify  the
        circumstances i which a data protection authority has the power to
        impose an administrative penalty, and the matters that are relevant
        to that decision    and  the amount    of any  penalty.  The  legislative
        regime  i supplemented      by the  RAP,  which  provides  additional
        guidance  i this regard.    Contrary  to para 4.60    of Marriott’s  First
        Representations, the RAP cannot be dismissed as “unclear and open-
        ended”.
7.102. Marriott’s submissions on legal certainty are wrong for the following
        seven reasons.
165 Marriott’s Second Representations, para 1.30.
166 Marriott’s First Representations, paras 4.50-4.73.
                                                                                  807.103.  First, in accordance    with  section  161  DPA  2018  the  RAP  was  laid
        before Parliament for approval, and was duly approved.
7.104. In its Second    Representations,    Marriott emphasised      the fact that
        Articles 83(8)-(9) and 70(1)(k) GDPR      “directly envisage and expect”
        that the high-level    principles set out i the legislation will be the
        subject of national or supranational guidance.!®” Pursuant to section
        160 DPA, the Commissioner        i obliged to issue guidance      i respect
        of how  she will determine    the amount    of penalties to be imposed.
        She has done so through the RAP.
7.105.  Second,  the  RAP,  which  must  be read  alongside  the  DPA  and,  in
        particular,  Article  83  GDPR,    provides  sufficient  clarity and  legal
        certainty, as required under the ECHR and EU law. In particular, the
        RAP explains that Step 2 intends to “censure” the breach, and this
        requires taking into consideration its scale (including the number of
        data subjects    affected)  and the severity of the breach      itself, and
        expressly  refers to the factors    set out i the    DPA.  Examples    of
        aggravating    factors  are  set out  i  the  RAP  to assist  with  the
        interpretation  of Step    3, as well    as  mitigating  factors  (to  be
        considered    at Step  5).  Marriott’s  argument    appears  to be that
        because i i possible for the RAP to be more detailed, i must follow
        that the RAP    i insufficiently detailed to fulfil the requirements      of
        legal certainty.  That i not the case.
7.106. I i not suggested      that i i impossible    to produce    more  detailed
        quantification guidance.1®* The GDPR        i a new regime. Whilst not
        necessary    for  the  purposes    of  legal  certainty,  more    detailed
        guidance may well be developed over time as the UK and EU Member
        States  gain  experience    in  applying  i  The  Commissioner      has
        committed    to  updating    the  guidance    available  i  the  future.
        However, the fact that there i potential for further development          of
        the guidance does not mean that the present guidance i so unclear
        as to be unlawful. The      RAP  provides  sufficient guidance  as to the
        circumstances    i which    penalties, including large penalties, will be
        applied.
167 Marriott’s Second Representations, para 1.9.
168 Marriott’s Second Representations, para 1.10.
                                                                                  817.107. Third,  i i neither    necessary  nor possible  to produce    a specific
        quantification framework which tells controllers precisely what level
        of fine they may face.
7.108.  In para 1.9 of its Second    Representations,  Marriott claims that the
        Commissioner    cannot lawfully impose    penalties without setting out
        a further  quantification  methodology.'®?    This  i  incorrect.  The
        guidance  available  from  Article 83 GDPR,    the DPA  and  the RAP,
        cannot  be rejected as legally uncertain    purely on the basis that i
        does  not attempt    to specify exactly what    levels of penalty  might
        attach to wrongdoing.'”°
7.109. I would be impossible for the Commissioner to specify all the types
        of situations, and  relevant circumstances,    i which  a penalty may
        be imposed    under  the GDPR.    Nor  could  any  guidance    permit  a
        controller to calculate specifically what any fine might be (especially
        by reference  to a particular fine). The    guidance  must  be general
        enough  i order to cover a wide range of potential situations, and
        respect the general discretion of the Commission      (subject to public
        law principles). The GDPR    also requires the Commissioner to take a
        case-by-case    approach,  guided  by the  need  to ensure    that any
        penalty i effective, proportionate and dissuasive, and subject to the
        prescribed turnover caps.
7.110. Fourth, contrary to Marriott’s submissions,‘7! there i also no flaw i
        the Commissioner’s approach because, on the particular facts of this
        case,  no adjustments    needed  to be made    at certain steps  i the
        process.  The draft decision explained clearly, i particular, that: (a)
        the need to ensure the penalty i dissuasive was taken into account
        sufficiently under Step 2 such that there was no need for a further
        uplift reflecting the need for the penalty sum to deter others under
        Step 4;172 and (b) the mitigating factors had been taken into account
        under  Step  2, so no adjustment      was  made  at Step    5 to avoid
        ‘double-counting’.  The  fact  that  certain  steps  did  not  require
        adjustments to be made    i a particular case particular case does not
        render  the  RAP,  which  i intended    to be of general    application,
        “deficient” .173
169 Marriott’s Second Representations, para 7.93.
170 Marriott’s Second Representations, paras 1.7-1.10.
171 Marriott’s Second Representations, para 1.34.
172 Marriott’s Second Representations, para 1.34.
173 Marriott’s Second Representations, para 1.10, see also para 1.34.
                                                                                827.111.  In any  event,  to assist  Marriott, the Commissioner      has  dealt with
        the mitigating factors arising i this case under Step 5 of the analysis
        (rather than Step 2, see para 7.40 above)          so that i can see the
        impact of these factors on the overall level of penalty.
7.112. Fifth, as explained    at paragraph    7.68  above,  the  Draft  Internal
        Procedure was not developed and i not relied upon for the purposes
        of meeting    the legal certainty  requirement,    contrary to Marriott’s
        submissions    during the course of the investigation.1’* While i was
        intended to be a helpful supplement to the RAP for internal decision-
        making  purposes,  i has been disregarded      for the purposes    of this
        Notice.
7.113. Sixth, for the reasons given above i respect of Marriott’s legitimate
        expectation  argument,    i i not open      to the  Commissioner    to re-
        impose the different, UK-only, legislative cap on fines i the manner
        sought  by Marriott. The bands which applied under the DPA          1998,
        and  the  decisions  made    under  i  cannot  be  relied  upon  as a
        justification for the Commissioner to fail to comply with EU law.
7.114. Finally, as to the claim made      by Marriott that other bodies, namely
        the FCA  and  the EU Commission,      apply  more  rigorous  and  more
        predictable    rules,  i  i  noted  that  each  regulator  must    take
        enforcement    action within the bounds      of its own  legal obligations,
        and i this case the Commissioner        i bound to comply, i particular,
        with Article 83 of the GDPR.*7°
        Other decisions by the Commissioner / Decisions by other European
        authorities
7.115. Marriott submitted    i its Representations that the proposed        penalty
        i inconsistent with previous action by the Commissioner          and other
        EU supervisory authorities, contrary to the stated aim of GDPR        being
        to create a harmonised    regime. ?’° In its Representations,’”” Marriott
        states that the proposed penalty i (a) inconsistent with action taken
        by other EU supervisory authorities, (b) contrary to the stated aim
        of the GDPR    being a harmonised      regime;  and (c) inconsistent with
174 Marriott’s First Representations, para 4.61 and MarriotRepresentations, para 1.4.
175 The submissiomade  at paras 1.20-1.25 of Marriott’s SRepresentations are noted.
1.12-1.19.tt’s First Representaparas 4.69-4.7and Marriott’s SeconRepresentationsparas
177 Marriott’s Second Representations, paras 1.14-1.19.
                                                                                  83        the decision taken by the Commissioner      i a different case. Marriott
        specifically refers to the following cases:
        a.  the decision by CNIL to impose a €50 million penalty on Google.
            Marriott  contended    that the  infringements    i  Google’s  case
            were more serious than those considered        i this Notice.
        b.  the Austrian Data Protection Authority against Osterreichische
            Post AG, which    was fined €18  million;
        c    a €2.6  million  fine issued  by the  Bulgarian  Commission    of
            Personal  Data  Protection to the Bulgarian    Revenue  Agency  i
            relation to a cyber-attack    which  affected  over 5 million data
            subjects;
        d.  a fine  of €645,000    imposed    on  Morele.net  by  the  Polish
            supervisory authority for a cyber-attack affecting over 2 million
            data subjects;
        e.  a fine of €150,000  impose on Raiffeisen Bank by the Romanian
            supervisory authority concerning      the misuse of customer    data
            by employees    of the bank;
        f    the  Romanian    authority  on  UniCredit  Bank  SA.  The  company
            was  fined  of €130,000  for a breach  of Article 25 GDPR    due to
            the  compromise    of  payment    details,  when    its worldwide
            turnover for 2018    was  of €18  billion; and
        g.  the Commissioner’s    decision  regarding  Doorstep  Dispensaree
            Ltd, dated  20 December    2019.
7.116. The    purpose    of GDPR    i  as  Marriott  contends,    to  secure  a
        harmonised    regime.  However,    that  harmonisation    i  achieved
        through  the application  of harmonised    rules and standards    to the
        particular facts of the case at issue. Any      cross-border    processing
        decision must then be subject to the Article 60 process.
7.117. The  Commissioner,    along  with  other  EU  supervisory    authorities,
        must comply with her obligations under Article 83 and that means
        that she i required to impose a penalty which, i her own judgment,
        having regard to all the matters listed i Article 83, and on the facts
        of the individual case, i effective, proportionate, and dissuasive. In
        principle, ‘equivalent’ breaches should attach ‘equivalent’ penalties.
                                                                                84        But i practice, each case will turn on its own particular facts. Whilst
        the Commissioner    has considered  the limited information available
        about  the cases  to which  Marriott  has referred,  she maintains  that
        simple comparisons    of the penalties imposed    i different cases do
        not show  that the Commissioner      has erred  i applying    Article 83
        GDPR,  DPA  and/or the RAP.
7.118. There  i a great degree    of variation  i the penalties    imposed  by
        supervisory  authorities  even  i the  context  of the  limited fines
        imposed  to date,?”®  which  are  - i  the  Commissioner’s    view  -
        indicative of a decision-making    process that i fact-specific. I would
        be premature    and  not necessarily    helpful to rely heavily  at this
        juncture  on  a survey  of the  action  taken  by other  supervisory
        authorities, given the relatively few decisions that have been taken
        under the new    regime. This i particularly the case where      there i
        limited  public  information    available  about  the  reasons  for the
        decisions taken by other authorities.
7.119. In any event, as the Commissioner      i acting as lead authority i this
        case, the way to ensure consistency i not by comparing the penalty
        to a selection of other penalties issued on different facts in the EU.
        Rather, the consistency    mechanism    provided  for by Articles 60(4)
        and  63  GDPR    will allow  for all of the  supervisory    authorities
        concerned to cooperate with the Commissioner, make enquiries, and
        contribute  their views  i order    to ensure  the consistency    of the
        ultimate penalty sum with penalties that have been ( there are any)
        and/or will be applied i similar situations. The Article 60 process i
        one  of the factors which,  as noted  in Article 63, contributes  to the
        consistent application of the GDPR and the Commissioner        i entitled
        to rely on the process as a contributory factor.
        (7) Application of the RAP
7.120. In response to the NOI and/or the draft decision, Marriott submitted
        that the Commissioner    had acted contrary to the RAP by: (a) failing
        to consider  separately  the appropriate    fines for the provisionally
        found  breaches of Articles 33 and 34 GDPR,      from those i relation
        to Articles 5(1)(f) and  32 GDPR;    (b) failing to adopt the starting
178 Notably the decision of the FrSA, the CNIL, to fine Goog50 million EuroSee also
https://www.enforcementtracker.cowhich suggests there i significant variation i the level of
fines that have been imposed to date, ranging from a few thousand to millions of pounds.
                                                                                85        point  that  any  penalty  of over  £1  million  i reserved    for very
        significant cases; and/or (c) failing to correctly apply the factors that
        the RAP categorises as determining whether a higher penalty can be
        imposed.+79
7.121.  As to the first issue, the Commissioner      has not included    in her final
        decision  a finding  that Marriott  breached  Article 33 or 34 GDPR.
        Thus, this issue no longer arises.
7.122. The  second    issue  i based    on a misreading    of the RAP.    Marriott
        misunderstood the discussion of the circumstances i which she may
        convene an advisory panel. This point has been addressed above at
        paras 7.76-7.77.
7.123. In  response    to the  draft  decision,  Marriott  submitted    that  the
        Commissioner    i seeking to “reinterpret” the wording      of page 26 of
        the RAP    i this regard.  That  i incorrect. The    section  of the RAP
        which addresses    specifically the setting of a penalty does not refer
        to this concept of “very significant” penalties at all. This language i
        used  only  to  describe    the  types    of  situations  i  which  the
        Commissioner    may convene an advisory panel.!®°
7.124.  Marriott also submitted that the fact that: “the ICO appears to have
        determined    that  this  case  is not  significant  enough    to merit
        convening    the  panel,  which  is entirely  inconsistent  with  the  fine
        imposed and further demonstrates the arbitrariness of this process.”
        181 This submission    i unfounded. The Commissioner        has discretion
        over whether to convene a panel. The reasons why a panel was not
        convened    i this case was      explained  i correspondence,      i.e. this
        decision would    be subject to the Article 60 consultation process. In
        such circumstances,    the panel was unnecessary.      I does not imply
        that this case lacks significance. For the reasons outlined above, this
        case has been found to involve significant breaches of the GDPR.
7.125. The    third  issue  was    also  based    on  a  misinterpretation    or
        misapplication of the RAP. Contrary to Marriott’s submissions, !      ®2 the
        RAP does not set out at page 27 the only categories of cases i which
        i i justifiable for the Commissioner      to impose a high penalty. The
179 Marriott’s First Representaparas 4.42-4.49and Marriott’s SecoRepresentationsparas
1.32-1.34.
180 Page 26 of the RAP.
181 Marriott’s Second Representations, para 1.33.
182 Marriott’s Second Representations, para 1.32.
                                                                                  86        examples  provided  are not to be applied as a list of criteria which
        must be met i any case before a penalty exceeding        £1 million can
        be imposed.  They provide a general indication of the circumstances
        i which a penalty will be higher. The Commissioner      i not therefore
        departing from guidance i a manner which has to be justified.        This
        Penalty Notice explains why the fine set i appropriate.
7.126. The GDPR was enacted i 2016 and came into force two years later.
        Data  controllers,  especially  global  undertakings    of the  size  of
        Marriott, would  have  been  fully aware  of the maximum      penalties
        permitted  by GDPR.    The reference to the sum    of £1 million i the
        RAP  does  no more  than  describe  the circumstances    i which  the
        Commissioner    may  decide to convene    an advisory panel, and page
        27 of the RAP cannot be relied upon to confine the Commissioner’s
        power  to impose    penalties i the manner    sought  by Marriott. The
        decision  as to whether  a penalty  should  be imposed    and  at what
        level, i order to provide an effective, proportionate and dissuasive
        result has to be reached    through  the application  of Article 83(2)
        GDPR  and  section 155  DPA  2018.  It i clear from  the RAP  that the
        Commissioner    will adopt  a case-specific    approach,  taking  into
        account  all relevant considerations.  That i the approach      taken  i
        this case.
        (8) Proportionality
7.127.  Marriott contends that the proposed    penalty set out i the NOI was
        disproportionate  on its face.18? This argument    i not accepted    i
        respect of the provisional penalty that was proposed      i the light of
        the information available at that time.
7.128. I i also not accepted that the penalty proposed i the draft decision
        was  also disproportionate.  That proposed    penalty took account    of
        and reflected the submissions    made  by Marriott i response to the
        NOI. Marriott criticised the approach    taken i the draft decision on
        the basis that the claim that the fine proposed      was  proportionate
        rested inappropriately on a comparison with the level of penalty set
        out i the NOI1®*, That was not the approach taken. Section 7 of the
        draft decision explained clearly the basis upon which, at that time,
        the proposed  penalty was proportionate. In any event, this Penalty
        Notice explains i clear terms why the level of final penalty imposed
183 Marriott’s First Representations, paras 4.74-4.77 and Second Representations, para 1.8.
184 Marriott’s Second Representations, paras 1.8 and 1.40.
                                                                              87      i  proportionate  i  the  light of the  findings  reached  by  the
      Commissioner    (see paragraphs 7.3-7.57 above).
7.129. The mathematical    error made  at para 5.43 of the draft decision i
      noted.?8° No such error i made    at para 7.57 above.
8. HOW    THE PENALTY        IS TO BE PAID
8.1.  The  penalty  must  be paid to the Commissioner’s    office by BACS
      transfer or cheque.
8.2.  The  penalty i not kept by the Commissioner      but will be paid into
      the Consolidated    Fund  which  i the Government’s    general  bank
      account at the Bank of England.
9. ENFORCEMENT          POWERS
9.1.  The Commissioner will not take action to enforce a penalty unless:
          e all or any of the penalty has not been paid;
          e all relevant appeals against the penalty notice and any variation
            of i have either been decided or withdrawn;    and
          e the period for appealing  against the penalty and any variation
            of i has expired.
9.2.  In England, Wales and Northern Ireland, the penalty i recoverable
      by Order of the County    Court or the High Court. In Scotland, the
      penalty can be enforced i the same manner as an extract registered
      decree arbitral bearing a warrant for execution issued by the sheriff
      court of any sheriffdom i Scotland.
185 Marriott’s Second Representations, para 1.41.
                                                                          88Dated the 30° day of October 2020
Elizabeth  Denham
Information  Commissioner
Information  Commissioner’s    Office
Wycliffe House
Water  Lane
Wilmslow
Cheshire
SK9 5AF
                                                                            89      ANNEX    1
RIGHTS    OF APPEAL    AGAINST    DECISIONS      OF THE  C O M M I S S I O N E R
      1.    Section 162(1) of the Data Protection Act 2018 gives any
            person upon whom    a penalty notice has been served a right of
            appeal to the First-tier Tribunal (Information Rights) (the
            ‘Tribunal’) against the notice.
      2.    I you decide to appeal and i the Tribunal considers:-
            a)    that the notice against which the appeal i brought i
                  not in accordance  with the law; or
            b)    to the extent that the notice involved an exercise of
                  discretion by the Commissioner,    that she ought to have
                  exercised her discretion differently,
            the Tribunal will allow the appeal or substitute such other
            decision as could have been made      by the Commissioner.    In
            any other case the Tribunal will dismiss the appeal.
      3.    You may bring an appeal by serving a notice of appeal on the
            Tribunal at the following address:
                  General Regulatory Chamber
                  HM  Courts & Tribunals Service
                    PO Box 9300
                  Leicester
                  LE1  8DJ
            a)    The notice of appeal should be sent so i i received by
                  the Tribunal within 28 days of the date of the notice.
            b)    I your notice of appeal i late the Tribunal will not
                  admit i unless the Tribunal has extended the time for
                  complying  with this rule.
                                                                              90The notice of appeal should state:-
a)    your name  and address/name    and address of your
      representative  (if any);
b)    an address where documents      may be sent or delivered
      to you;
C)    the name  and address of the Information
      Commissioner;
d)    details of the decision to which the proceedings    relate;
e)    the result that you are seeking;
f      the grounds on which you rely;
g)    you must provide with the notice of appeal a copy of the
      penalty notice or variation  notice;
h)    i you have exceeded    the time limit mentioned    above
      the notice of appeal must include a request for an
      extension of time and the reason why the notice of
      appeal was not provided i time.
Before deciding whether or not to appeal you may wish to
consult your solicitor or another adviser.    At the hearing of an
appeal a party may conduct his case himself or may be
represented  by any person whom      he may appoint for that
purpose.
The statutory provisions concerning appeals to the First-tier
Tribunal (General Regulatory Chamber)      are contained  i
sections  162 and  163 of, and Schedule    16 to, the Data
Protection Act 2018, and Tribunal Procedure (First-tier
Tribunal) (General Regulatory Chamber)      Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).








</pre></blockquote>
                                                                  91
</pre>

Latest revision as of 09:59, 9 May 2022

ICO - Monetary Penalty on Marriott International Inc.
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 30.09.2020
Published: 30.10.2020
Fine: 18400000 GBP
Parties: n/a
National Case Number/Name: Monetary Penalty on Marriott International Inc.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Information Commissioner's Office (in EN)
Initial Contributor: Edda Pernice

The Information Commissioner’s Officer (ICO) imposed a fine of € 20.7 million on Marriott International Inc (“Marriott”) for failing to ensure appropriate security when processing its costumers’ personal data, thus violating Article 5(1)(f) and Article 32 GDPR.

Investigations began following notification of an attack on Marriott’s IT systems that took place over a period of time that includes May 2018 (when the GDPR came into force) to September 2018 . As a result, the attacker(s) had access to vast amounts of costumers’ personal data: Marriot estimated that they accessed 339 million guest records, with 30.1 million being EEA members’ records and 7 million being associated with the UK.

English Summary

Facts

Starwood Hotels and Resorts Worldwide Inc’s (“Starwood”) IT system were first compromised by unknown attackers in 2014. Marriot subsequently acquired Starwood in 2016, but did not detect this attack at any time between that moment and September 2018. Therefore, between 2014 and 2018, the attackers had access to Starwood’s systems through use of Remote Access Trojan malware, and kept extracting Starwood databases. Marriott became aware of potential attacks following an alert from a system applied to one of its most confidential databases on September 2018. After that Marriot found malware installed and proof that databases had been extracted over the years, so they promptly notified both the ICO and relevant data subjects of the breach. The ICO found that the attackers had obtained unencrypted personal data of the likes of: passport numbers, identifying information of the costumers such as name, date of birth and gender, plus credit card details in encrypted form.

Dispute

Holding

Although the ICO and the relevant victims were notified promptly of the breach, the ICO found that there were many failures in placing the technical and organizational measures to safeguard personal data in Marriott’s system as required under Article 5(1)(f) and Article 32 GDPR. Marriott’s shortcomings, as outlined by the ICO, were the following: insufficient monitoring of privileged accounts and their user activity, insufficient monitoring of databases, poor control of critical systems and systems that have access to large amounts of personal data, and the fact that only certain type of sensitive data was encrypted (e.g. credit card numbers) but not all (e.g. many passport numbers). The ICO fined Marriott in line of Article 83 GDPR but also took into account mitigating factors such as the efforts that Marriott made to inform and help the victims of the breach, the $19 million investment it made on security the following year and the financial impacts of the Covid-19 pandemic, lowering the final amount of the fine from £24 million to £18.4 million.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

Cf. a comment in french of the decision : https://swissprivacy.law/19/.

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

            Information Commissioner's Office

          PENALTY NOTICE

Section 155, Data protection Act 2018


        Case ref: COM0804337
      Ma10400 Fernwood Roadl Inc
                Bethesda
               M DUSA0 8 1 7









             30 October 20201 INTRODUCTION              & SUMMARY


1.1.    This   Penalty    Notice   i   given   to   Marriott   International    Inc
        (“Marriott”)   pursuant to section 155 and Schedule        16 of the Data

        Protection Act 2018    (the “DPA”).   I relates to infringements of the
        General   Data  Protection  Regulation   (the “GDPR”),     which  came   to

        the    attention     of   the    Information      Commissioner       (“the
        Commissioner”)      as a result of an attack on Marriott’s IT systems?

        that took   place over   a period   that included   25   May  2018   to 17
        September    2018 (the “Attack”).

1.2.    Insummary,     i 2014 the IT systems of Starwood       Hotels and Resorts

        Worldwide    Inc (“Starwood”)      were  compromised      by an unknown
        attacker  or attackers   (referred  to, for ease   of reference,   as “the

        Attacker”),   utilising an unknown     attack vector. In 2016,     Marriott
        acquired  Starwood.    Marriott did not detect the Attack at any time
        between   acquiring Starwood     and September     2018, including i the

        period after the entry into force of the GDPR       i May 2018.     During
        this latter period, the Attacker continued      to traverse through     the

        Starwood    systems   and  had  gained   access  to the cardholder     data
        environment within the Starwood       network. This access allowed the

        Attacker   to export   the  personal   data  of Starwood    customers    to
        “dmp”   files on the Starwood     systems,    potentially with a view    to
        taking a copy of that data. I was only when        the Attacker triggered

        an alert i relation to a table containing      cardholder   data that the
        Attack was discovered and could be mitigated. The personal data of

        a large number    of individuals was   involved  in the Attack,   including
        cardholder   data,   although   the  Commissioner     has   not  seen  any
        evidence   of  financial  harm    to  individuals.  Following   the   alert,

        Marriott   promptly    informed    affected   data   subjects   and    took
        immediate steps to mitigate the effects of the Attack and to protect

        the interests of data subjects by implementing       remedial measures.

1.3.    Marriott   i    an _ international    hotel   chain,    with   operational
        headquarters    i the USA. The provisions of the DPA and the GDPR

        apply to the processing     of personal    data  by Marriot   by virtue of


1 References i this decision to Marriott’s systems / network / security etc. concern the IT systems
etc. that Marriott acquired from Stai September2016 and retained and continued to use
post-acquisition.        section 207(2)   DPA and Article 3(1) GDPR.       Marriott has confirmed
        that Marriott Hotels Limited i Marriott’s main establishment within

        the EU, as defined i Article 4(16) GDPR.

1.4.    The   data  subjects   affected   by  this  breach   were    customers    of

        Starwood, which was at the relevant time owned          by Marriott, i the
        United  Kingdom,   elsewhere    in the EU, and  in the rest of the world.

1.5.    Marriott was   the controller i respect of the personal         data  of its

        customers    within the meaning     of section   6 DPA   and   Article 4(7)
        GDPR,   as i determined    the purposes    and means    of the processing

        of the personal data. By inter alia collecting, recording, organising,
        structuring and storing the personal data of its customers,        Marriott
        was  processing   that data within the meaning       of section 3(4) DPA

        and Article 4(2) GDPR.

1.6.    Marriott has not admitted liability for breach of the GDPR.      However,

        for the reasons set out i this Penalty Notice, the Commissioner         has
        found that Marriott failed to process personal data i a manner that
        ensured    appropriate    security   of  the   personal   data,   including

        protection against unauthorised      or unlawful processing and against
        accidental loss, destruction or damage,      using appropriate technical

        and  organisational    measures,    as required   by Article   5(1)(f)  and
        Article 32 GDPR.

1.7.    The  Commissioner     has  found   that,  in all the  circumstances,    and

        having  regard,   i particular, to Marriott’s representations      and the
        matters   listed i Article 83(1)     and  (2) GDPR,    the   infringements
        constitute   a  serious   failure   to  comply    with   the   GDPR    and,

        accordingly,   that the imposition    of a penalty    i appropriate.    The
        amount    of the   penalty   that  the  Commissioner      has   decided   to

        impose,   having taken into account a range of mitigating factors set
        out further below and the impact of the Covid-19 pandemic, i £18.4
        million.


1.8.    Pursuant   to Article 56 GDPR,     the Commissioner      i acting   as lead
        supervisory   authority i respect of the cross-border        processing   at

        issue i this case.2.LEGAL       FRAMEWORK

GDPR


2.1.    On   25   May   2018,   the  GDPR    entered    into  force,  replacing   the
        previous EU law data protection regime that applied under Directive

        95/46/EC     (“Data   Protection     Directive”)*?.   The   GDPR    seeks  to
        harmonise     the   protection   of fundamental      rights   i  respect    of

        personal    data  across   EU   Member     States   and,   unlike  the  Data
        Protection Directive, i directly applicable i every Member          State.?

2.2.    The GDPR     was developed     and enacted    i the context of challenges

        to the protection of personal data posed by, i particular:

        a.   the substantial increase i cross-border flows of personal data

              resulting from the functioning    of the internal market;*+ and

        b.   the   rapid  technological    developments     which    have   occurred

              during a period of globalisation.> As Recital (6) explains: “.. The
             scale   of the    collection  and   sharing   of personal     data   has

             increased     significantly.   Technology      allows’   both    private
             companies and public authorities to make         use of personal data

             on an unprecedented scale in order to pursue their activities....”

2.3.    Such   developments      made    i necessary     for “a strong    and   more

        coherent data protection framework in the Union, backed by strong
        enforcement,    given   the importance     of creating the trust that will

        allow the digital economy     to develop across the internal market...”.®

2.4.    Against that background,      the GDPR    imposed    more   stringent duties
        on controllers and significantly increased the penalties that could be

        imposed    for a breach     of the obligations     imposed   on   controllers
        (amongst others).’







2 Directiv95/46/EC of theEuropean Parliamentand of theCouncil of 24October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
3 Recital 3.
4 Recital 5.
§ Recital 7.
7 See, i particular, Recitals 11, 148, 150, and Article 5, Chapter IV and Article 83.        The relevant obligations

2.5.    Chapter 1 GDPR sets out the general provisions. Article 5 of Chapter

        I GDPR sets out the principles relating to the processing of personal
        data. Article 5(1) lists the six basic principles that controllers must
        comply with i processing personal data, including:


            1. Personal data shall be:

            ..(f) processed in a manner that ensures appropriate security
            of   the    personal     data,   including    protection § against

            unauthorised or unlawful processing and against accidental
            loss, destruction   or damage,    using appropriate     technical or
            organisational measures (‘integrity and confidentiality’)

2.6.    Article  5(2)  GDPR    makes    i clear   that   the  “contro/ler  shall be

        responsible   for,  and   be  able   to demonstrate      compliance    with,
        paragraph   1 (‘accountability’)”.

2.7.    Chapter    IV,  Section    1 addresses      the   general   obligations    of

        controllers and processors. Article 24 sets out the responsibility of
        controllers for taking    appropriate   steps to ensure    and   be able to

        demonstrate    that processing    i compatible    with the GDPR.    Articles
        28-29   make    separate    provision   for the   processing    of data   by
        processors, under the instructions of the controller.


2.8.    Chapter IV, Section 2 addresses security of personal data. Article 32
        GDPR   provides:


            1. Taking    into account    the state   of the art, the costs     of
            implementation and the nature, scope, context and purposes
            of processing    as well as the risk of varying likelihood and
            severity for the rights and freedoms       of natural persons,    the
            controller  and   the processor     shall implement     appropriate

            technical and organisational measures         to ensure   a level of
            security   appropriate    to  the  risk,  including   inter  alia  as
            appropriate:

               (a) the pseudonymisation and encryption of personal data;
               (b) the  ability  to   ensure    the  ongoing     confidentiality,

                   integrity,  availability  and    resilience   of  processing
                  systems and services;
               (C)...
               (d)a   process     for   regularly   testing,    assessing    and

                   evaluating     the   effectiveness     of    technical    and                  
                   organisational    measures    for ensuring   the security   of
                  processing.


            2. In assessing the appropriate level of security, account shall
            be  taken   in particular of the risks that are presented         by
            processing,    in   particular   from    accidental   or   unlawful
            destruction,  loss,  alteration,  unauthorised    disclosure  of, or

            access   to, personal   data  transmitted,   stored   or otherwise
            processed.

2.9,    Article 32 GDPR    applies to both controllers and processors.

        Penalties

2.10.   Article 83(1) GDPR     requires supervisory authorities to ensure that

        any   penalty    imposed     i   each   individual   case    i   “effective,
        proportionate and dissuasive".


2.11.   The principle that penalties ought to be effective, proportionate and
        dissuasive i a longstanding      principle of EU law. The Commissioner

        i under an EU law obligation to ensure         that infringements    of the
        GDPR   are penalised i a manner that i effective, proportionate and
        dissuasive.


2.12.   Further,   Recital  148   emphasises,     inter alia,  that  “in  order   to
        strengthen the enforcement of the rules of this Regulation, penalties

        including   administrative     fines   should    be   imposed     for   any
        infringement    of this   Regulation,   in addition    to,  or instead    of
        appropriate    measures     imposed     by   the   supervisory    authority

        pursuant to this Regulation.” I also records that due regard should
        be given to the:


             . nature,   gravity  and   duration   of the   infringement,    the
            intentional character of the infringement,        actions  taken  to
            mitigate the damage suffered, degree of responsibility or any
            relevant previous    infringements,    the manner     in which   the

            infringement    became    known   to the supervisory      authority,
            compliance    with measures    ordered against the controller or
            processor,   adherence    to a code   of conduct    and any    other
            aggravating   or mitigating factor...


2.13.   Recital 150 provides as follows:

            In  order    to  strengthen     and   harmonise     administrative
            penalties    for  infringements     of   this   Regulation,    each
            supervisory    authority  should   have    the  power    to impose           
            administrative     fines.   This   Regulation    should    indicate
           infringements and the upper limit and criteria for setting the
           related administrative fines, which should be determined by

            the competent supervisory authority in each individual case,
            taking into account all relevant circumstances of the specific
           situation, with due regard in particular to the nature, gravity
           and duration of the infringement and of its consequences and

            the measures taken to ensure compliance with the obligations
            under   this  Regulation   and   to  prevent    or  mitigate   the
           consequences     of the   infringement.    Where    administrative
           fines are imposed on an undertaking, an undertaking should
           be   understood    to be  an   undertaking   in accordance     with

           Articles  101   and   102   TFEU   for  those   purposes.   Where
           administrative fines are imposed on persons that are not an
            undertaking, the supervisory authority should take account of
            the general level of income    in the Member    State as well as
            the  economic   situation  of the   person   in considering    the

           appropriate amount     of the fine. The consistency mechanism
           may    also be  used   to promote    a consistent   application  of
           administrative fines. It should be for the Member        States to
           determine    whether   and   to which   extent public authorities
           should   be   subject   to administrative    fines.  Imposing    an

           administrative   fine or giving a warning     does not affect the
           application of other powers     of the supervisory authorities or
           of other penalties under this Regulation.

2.14.   In line with the above, when    deciding whether to impose a fine and

        the  appropriate   amount    of any   such   fine, Article  83(2)   GDPR
        requires the Commissioner to have regard to the following matters:


            (a) the nature,   gravity  and   duration   of the  infringement
               taking into account    the nature scope    or purpose    of the
               processing   concerned    as  well as the    number    of data
               subjects   affected and   the level of damage     suffered by
               them;


            (b) the intentional or negligent character of the infringement;

            (c) any action taken by the controller or processor to mitigate

               the damage    suffered by data subjects;

            (d) the degree of responsibility of the controller or processor,
               taking into account technical and organisational measures
               implemented by them pursuant to Articles 25 and 32;            
               
            (e) any relevant previous infringements by the controller or
                processor;


            (f) the degree of co-operation with the supervisory authority,
                in order   to remedy     the infringement     and   mitigate  the
                possible adverse effects of the infringement;


            (g)the    categories     of  personal     data   affected    by    the
                infringement;


            (h) the manner     in which the infringement became        known    to
                the supervisory authority, including whether, and if so to
                what   extent,   the   controller  or processor     notified   the

                supervisory authority of the infringement;

            (i) where    measures      referred   to  in   Article  58(2)    have
                previously    been    ordered     against   the    controller   or

                processor    concerned    with regard    to the same     subject-
                matter, compliance     with those measures;

            (   adherence     to approved     codes   of conduct    pursuant    to

                Article 40 or approved certification mechanisms pursuant
                to Article 42; and

            (k) any other aggravating      or mitigating factor applicable      to

                the case,    including  financial benefits gained,     or losses
                avoided, directly or indirectly from the infringement. ®

2.15.   Article  83(5)    GDPR    provides    that   infringements    of the    basic

        principles for processing imposed      pursuant to Article 5 GDPR will, i
        accordance    with Article 83(2)    GDPR,    be subject to administrative

        fines of up to €20 million or, i the case of an undertaking,            up to
        4%   of its total worldwide annual turnover of the preceding financial
        year, whichever i higher.


2.16.   Article 83(4)   GDPR    provides, inter alia, that infringements       of the
        obligations   imposed     by Article   32  GDPR    on   the  controller   and

        processer will, i accordance with Article 83(2) GDPR,          be subject to
        administrative    fines  of up to €10     million  or, i the     case  of an




8 See also the Article 29 Data Protection WParty Guidelines on the application and setting of
administrative fines for the purposes of Regulation 2016/679, adopted on 3 October 2017, endorsed
by the European Data ProtectionBoard at its first plensession.These providea high-level
overview of the assessment criteria set out i Article 83(2) GDPR i Section ITI (“the Article 29 WP
Guidelines”.
                                                                                    8        undertaking, up to 2%    of its total worldwide annual turnover of the

        preceding financial year, whichever i higher.

2.17.   Article 83(3) GDPR   addresses the circumstances      i which the same
        or linked processing operations give rise to infringements of several

        provisions of the GDPR.    I provides that “.. the total amount of the
        administrative   fine shall not exceed   the amount    specified for the

        gravest infringement”.

2.18.   Article 83(8)  GDPR   provides that the exercise     by any supervisory
        authority  of its powers    to fine  undertakings    will be subject    to

        procedural  safeguards,    including an effective judicial remedy     and
        due process.

        Cooperation   and  consistency


2.19.   Where,   as here, the processing    i issue i cross-border, Article 56
        GDPR   makes    provision  for the designation    of a lead supervisory

        authority.  In this case,   the Commissioner      i acting   as the  lead
        supervisory authority. Chapter VII GDPR      establishes the regime for
        ensuring cooperation between lead and other concerned supervisory

        authorities, permitting  unified decision-making.?

2.20.   Article 60 GDPR   provides:


            1. The lead supervisory     authority shall cooperate    with the
            other supervisory authorities concerned      in accordance    with
            this Article in an endeavour     to reach  consensus.    The lead
           supervisory     authority   and    the   supervisory    authorities

            concerned shall exchange     all relevant information   with each
            other.

            2. The lead supervisory authority may       request at any time
            other supervisory    authorities concerned    to provide   mutual

            assistance  pursuant    to Article  61  and  may    conduct joint
            operations  pursuant   to Article 62, in particular for carrying
            out investigations  or for monitoring   the implementation    of a
            measure   concerning a controller or processor established in
            another Member State.


            3.  The  lead   supervisory   authority   shall,  without   delay,
            communicate    the relevant information on the matter to the
            other  supervisory   authorities   concerned.   It shall  without


° The relevant provisions enacting this regime must be read subject to, i particular, Articles 7, 70
and 127-128 and 131 of the Withdrawal Agreebetween the EU and United Kingdom.
                                                                                 9delay   submit   a draft   decision   to  the  other  supervisory
authorities concerned for their opinion and take due account

of their views.

4. Where any of the other supervisory authorities concerned
within a period of four weeks after having been consulted in
accordance    with paragraph     3 of this Article,  expresses    a

relevant and reasoned objection to the draft decision, the lead
supervisory authority shall, if i does not follow the relevant
and reasoned objection or is of the opinion that the objection
is not   relevant   or  reasoned,   submit   the  matter    to  the
consistency mechanism      referred to in Article 63.


5. Where the lead supervisory authority intends to follow the
relevant and reasoned objection made, i shall submit to the
other   supervisory   authorities   concerned    a revised    draft
decision for their opinion. That revised draft decision shall be

subject to the procedure referred to in paragraph       4 within a
period of two weeks.

6. Where none of the other supervisory authorities concerned
has  objected   to the draft decision    submitted    by the lead

supervisory    authority   within  the   period   referred   to  in
paragraphs   4 and 5, the lead supervisory authority and the
supervisory authorities concerned shall be deemed         to be in
agreement    with that draft decision and shall be bound by i

7. The lead supervisory authority shall adopt and notify the

decision to the main establishment or single establishment of
the controller or processor,    as the case may    be and inform
the other supervisory authorities concerned and the Board of
the decision in question, including a summary      of the relevant

facts and grounds.     The supervisory authority     with which   a
complaint has been lodged shall inform the complainant on
the decision.

8. By   derogation   from  paragraph    7, where   a complaint   is

dismissed or rejected, the supervisory authority with which
the complaint was lodged shall adopt the decision and notify
i to the complainant and shall inform the controller thereof.

9. Where the lead supervisory authority and the supervisory
authorities concerned    agree   to dismiss or reject parts of a

complaint   and   to act on other parts     of that complaint,    a
separate decision shall be adopted for each of those parts of
the matter.   The lead supervisory     authority shall adopt    the
decision  for the part concerning     actions  in relation  to the


                                                                    10           controller, shall notify i to the main establishment or single
           establishment of the controller or processor on the territory
           of its Member State and shall inform the complainant thereof,

            while the supervisory authority of the complainant shall adopt
            the decision for the part concerning dismissal or rejection of
            that complaint,   and shall notify i to that complainant      and
           shall inform the controller or processor thereof.

            10. After being notified of the decision of the lead supervisory

           authority pursuant to paragraphs       7 and 9, the controller or
           processor    shall  take  the  necessary    measures    to ensure
           compliance    with the decision as regards processing activities
           in the context    of all its establishments    in the Union.   The

           controller or processor shall notify the measures        taken  for
           complying with the decision to the lead supervisory authority,
            which   shall   inform   the   other    supervisory    authorities
           concerned.   .

2.21.   Article 60(4)   refers to the   consistency   mechanism,     which   i i

        Section 2 of Chapter VII GDPR.      Article 63 provides that: “In order
        to  contribute   to  the  consistent   application  of this   Regulation

        throughout   the Union,   the supervisory authorities shall cooperate
        with each other and, where relevant, with the Commission,        through
        the consistency mechanism      as set out in this Section.” Article 65

        GDPR   provides, insofar as relevant, that:

           Dispute resolution by the Board

            1. In order to ensure the correct and consistent application of

            this Regulation  in individual cases, the Board shall adopt a
           binding decision in the following cases:

                  (a) where,   in a case    referred  to in Article  60(4),  a
                  supervisory authority concerned has raised a relevant
                  and reasoned objection to a draft decision of the lead

                  authority or the lead authority has rejected such         an
                  objection   as  being   not  relevant   or reasoned.    The
                  binding decision shall concern all the matters which are
                  the subject


           2. The decision referred to in paragraph       1 shall be adopted
            within one month    from the referral of the subject-matter by
           a two-thirds    majority  of the members      of the Board.    That
           period may be extended by a further month on account of the
           complexity of the subject-matter.     The decision referred to in

           paragraph    1 shall be reasoned     and addressed     to the lead

                                                                               11           supervisory    authority   and  all the   supervisory   authorities
            concerned and binding on them.

            3. Where    the Board   has been    unable   to adopt   a decision

            within the periods referred to in paragraph      2, i shall adopt
            its decision within two weeks following the expiration of the
           second month referred to in paragraph 2 by a simple majority
            of the members     of the Board.    Where   the members     of the

            Board are split, the decision shall by adopted by the vote of
            its Chair.

            4, The supervisory authorities concerned shall not adopt a
            decision on the subject matter submitted to the Board under
           paragraph    1 during the periods referred to in paragraphs        2

            and 3.

            5. The Chair of the Board shall notify, without undue       delay,
            the decision  referred to in paragraph      1 to the supervisory
            authorities   concerned.    It shall   inform   the   Commission
            thereof. The decision shall be published on the website of the

            Board   without   delay  after  the  supervisory    authority  has
            notified the final decision referred to in paragraph 6.

            6. The lead supervisory authority or, as the case may be, the
           supervisory    authority  with   which  the complaint    has   been
            lodged  shall adopt    its final decision   on  the  basis  of the

            decision referred to in paragraph      1 of this Article,  without
            undue delay and at the latest by one month        after the Board
            has notified its decision. The lead supervisory authority or, as
            the case may    be, the supervisory authority with which        the

            complaint has been lodged, shall inform the Board of the date
            when its final decision is notified respectively to the controller
            or the processor and to the data subject. The final decision of
            the supervisory authorities concerned shall be adopted under
            the terms of Article 60(7), (8) and (9). The final decision shall

            refer to the decision referred to in paragraph    1 of this Article
            and  shall  specify   that  the  decision   referred   to in   that
           paragraph    will be published on the website of the Board in
            accordance with paragraph 5 of this Article. The final decision
           shall attach   the decision referred to in paragraph      1 of this

           Article.

DPA

        The Commissioner

2.23.   Section  115   DPA   establishes  that  the  Commissioner     i the   UK’s
        supervisory authority for the purposes of the GDPR. Section 115 DPA

                                                                                12        provides, inter alia, that the Commissioner’s     powers   under Articles
        58(2)(i)  (the power   to impose   administrative   fines) and 83 GDPR

        are exercisable   only by giving a penalty     notice under section    155
        DPA.

        Penalties


2.24.   Section  155(1)  DPA   provides that, i the Commissioner       i satisfied
        that a person   has failed or i failing as described    i section 149(2)
        DPA, the Commissioner      may, by written notice (a “penalty notice”),

        require the person to pay to the Commissioner an amount i sterling
        specified i the notice.


2.25.   Section  149(2)  DPA  provides:

            (1) The first type of failure is where a controller or processor
            has failed, or is failing, to comply with any of the following -

             (a)  a provision of Chapter II of the GDPR       or Chapter 2 of

                  Part 3 or Chapter 2 of Part 4 of this Act (principles of
                  processing);
             (b)  .

             (c)  a provision of Articles 25 to 39 of the GDPR      or section
                  64  or 65 of this Act (obligations      of controllers   and
                  processors)...

2.26.   Section  155 DPA    sets out the matters to which     the Commissioner

        must have regard when      deciding whether to issue a penalty notice
        and when   determining the amount      of the penalty.

2.27.   Section 155(2)   DPA   provides that, subject to subsection     (4), when

        deciding   whether    to  give  a penalty    notice   to  a person     and
        determining   the amount     of the penalty,   the Commissioner      must

        have regard to the matters listed i Article 83(1) and (2) GDPR.

2.28.   Schedule    16  includes   provisions   relevant  to the   imposition    of
        penalties. Paragraph   2 makes    provision for the issuing of notices of

        intent to impose a penalty, as follows:

            (1) Before giving a person a penalty notice, the Commissioner
            must,  by   written  notice  (a “notice   of intent”)  inform   the

           person    that  the  Commissioner     intends  to give   a penalty
            notice.



                                                                                13            (2) The  Commissioner     may   not give   a penalty   notice to a
           person   in reliance on a notice of intent after the end of the

           period of 6 months      beginning   when   the notice of intent is
           given, subject to sub-paragraph      (3).

            (3) The period for giving a penalty notice to a person may be
            extended by agreement between         the Commissioner and the

           person.

2.29.   Paragraph   5 sets out the required contents of a penalty notice, i
        accordance with which this Penalty Notice has been prepared.

        Guidance


2.30.   Section 160 DPA requires the Commissioner to produce and publish
        guidance   about   how  she  intends   to exercise   her functions.   With
        respect to penalty notices, such guidance i required to include:


            (a) provision    about    the   circumstances     in   which    the
            Commissioner would consider i appropriate to issue a penalty
            notice;


            (b) provision    about    the   circumstances     in   which    the
            Commissioner would consider i appropriate to allow a person
            to make    oral  representations    about   the   Commissioner's
            intention to give the person a penalty notice;

            (c) provision    explaining    how     the   Commissioner —     will

            determine the amount of penalties;

            (d) provision   about  how   the Commissioner      will determine
            how  to proceed if a person    does not comply     with a penalty
            notice.


2.31.   Pursuant   to section   161  DPA,  the Commissioner's      first guidance
        documents    issued  under   section  160(1)  DPA   had to be consulted

        upon   and   laid before   Parliament   by the   Secretary   of State    i
        accordance with the procedure set out i that section. Thereafter, i
        issuing  any  altered  or replacement     guidance,   the Commissioner

        required to consult the Secretary of State and such other persons
        as she considers appropriate. The Commissioner        must also arrange

        for such guidance to be laid before Parliament.






                                                                                14The Commissioner’s         Regulatory Action       Policy


2.32.   On 4 May    2018,  the Commissioner      opened   a consultation   process
        on  how   the  Commissioner     planned    to discharge   her  regulatory
        powers   under the DPA. The consultation       attracted  responses   from

        across  civil society,  commentators,      and  industry   (including  the
        finance and insurance, online technology and telecoms, and charity

        sectors). The consultation ended on 28 June 2018. Having taken all
        the views received during the consultation process into account, the
        Regulatory Action Policy (the “RAP”) was submitted to the Secretary

        of State and laid before Parliament for approval.

2.33.   Pursuant   to section  160(1)   DPA,  the Commissioner      published  her

        RAP   on  7 November     2018.   Under   the  hearing   “Aims”,  the   RAP
        explains that i seeks to:

          e  “Set out the nature of the Commissioner’s         various powers    in

             one place and to be clear and consistent about when         and how
             we use them”;


          e  “Ensure that we take fair, proportionate and timely regulatory
             action with a view to guaranteeing that individuals’ information
             rights are properly protected”;


          e  “Guide   the Commissioner     and our staff in ensuring     that any
             regulatory action is targeted, proportionate and effective...”°


2.34.   The objectives of regulatory action are set out at page 6 of the RAP,
        including:

          e  “To respond swiftly and effectively to breaches        of legislation

             which fall within the ICO’s remit, focussing on [inter alia] those
             adversely affecting large groups of individuals”.


          e “To be effective, proportionate, dissuasive and consistent in our
             application of sanctions”, targeting action taken pursuant to the
             Commissioner’s      most.   significant   powers    on,   inter  alia,

             “organisations and individuals suspected of repeated or wilful
             misconduct or serious failures to take proper steps to protect
             personal data”.




1 RAP, page 5
                                                                                152.35.   The   RAP  explains   that the   Commissioner     will adopt   a selective

        approach to regulatory action.‘ When       deciding whether and how to
        respond   to  breaches    of information    rights  obligations   she   will
        consider criteria which include the following:


          e  “the nature and seriousness of the breach or potential breach”;

          e  “where    relevant,  the   categories   of personal    data  affected

             (including whether any special categories of personal data are
             involved) and the level of any privacy intrusion”;

          e  “the number of individuals affected, the extent of any exposure

             to physical, financial or psychological harm, and, where i is an
             issue, the degree of intrusion into their privacy”;


          e  “whether the issue raises new or repeated issues, or concerns
             that technological    security measures     are not protecting     the

             personal data”;

          e  “the cost of measures to mitigate any risk, issue or harm”;

          e  “the  public   interest  in regulatory    action  being   taken   (for

             example,    to provide    an   effective  deterrent   against   future
             breaches or clarify or test an issue in dispute)”.++


2.36.   The  RAP  explains  that, as a general   principle, “more   serious,  high-
        impact,   intentional,  wilful, neglectful   or repeated    breaches   can
        expect stronger regulatory action”.13


2.37.   Pages   24-25   of the RAP    identify the circumstances     i which    the
        issuing of a Penalty Notice will be appropriate.      They explain, inter

        alia, that i “   considering the degree of harm       or damage    we may
        consider that, where there is a lower level of impact across a large

        number   of individuals, the totality of that damage     or harm may be
        substantial, and may require a sanction.” The     RAP stresses that each
        case will be assessed     objectively  on its own    merits.  However,    i

        explains  that,  i accordance     with the Commissioner’s       risk-based
        approach,   a penalty i more     likely to be imposed   in, inter alia, the

        following  situations:



1 RAP, pages 6-7 and 10.
1 RAP, pages 10-11.
1 RAP, page 12.
                                                                                 16          e  “a number   of individuals have been    affected”;

          e  “there  has  been   a degree   of damage     or harm    (which  may

             include distress and/or embarrassment)”;       and

          e  “there  has   been   a failure   to apply   reasonable    measures
             (including relating to privacy by design) to mitigate any breach

             (or the possibility of it)”.

2.38.   The process the Commissioner will follow i deciding the appropriate

        amount    of penalty   to be   imposed    i described    from   page   27
        onwards.   In particular,  the  RAP   sets out the following    five-step
        process:


        a.   Step  1. An ‘initial element’   removing   any financial gain from
             the breach.

        b.   Step 2. Adding    i an element to censure the breach       based on

             its scale and  severity, taking   into account  the considerations
             identified at section 155(2)-(4) DPA.

        c    Step 3. Adding i an element to reflect any aggravating factors.

             A list of aggravating factors which the Commissioner would take
             into account, where relevant, i provided at page 11 of the RAP.

             This list i intended  to be indicative, not exhaustive.

        d.   Step 4. Adding    i an amount for deterrent effect to others.

        e.   Step 5. Reducing the amount      (save that i the initial element)

             to  reflect any   mitigating   factors,  including   ability to  pay
             (financial  hardship).  A list of mitigating    factors  which   the
             Commissioner     would   take  into  account,   where   relevant,  i

             provided  at page 11-12    of the RAP. This list i intended to be
             indicative, not exhaustive.


3. CIRCUMSTANCES              OF THE FAILURE:            FACTS

Marriott’s acquisition of the Starwood           network


3.1.   Marriot   acquired    Starwood     i   September     2016.    During   the
       acquisition  process,  Starwood   shareholders    received  0.8 shares of
       Marriott,  as well  as $21    per Starwood    common     stock.  After the

       acquisition, the Marriott and Starwood     computer systems were kept

                                                                               17       separate,   and   they   remained    separate   throughout    the  relevant

       period.  Marriott  did, however,    plan  on integrating   aspects   of the
       Starwood    network    into the   Marriott  network   over   an  18-month
       period i order to create a single, unified network within Marriott’s

       security footprint.

3.2.   Upon    acquisition,   but  prior  to  decommissioning      the  Starwood

       network, Marriott made     enhancements     to the security of Starwood’s
       existing IT network.

3.3.   During the acquisition process, Marriott states that i was only able

       to carry out limited due diligence on the Starwood        data processing
       systems    and  databases.'*    For the   avoidance   of any    doubt,  the

       Commissioner     i not making    any finding   of infringement   in respect
       of the period    between   Marriott’s acquisition   of Starwood    and  the

       entry   into force  of the GDPR     on 25   May   2018.  Accordingly,   the
       Commissioner     has not determined whether or not i was possible for
       Marriott to conduct due diligence during a takeover. There         may   be

       circumstances    i which in-depth due diligence of a competitor i not
       possible during a takeover.


3.4.   This Penalty   Notice concerns    the extent to which,     after the GDPR
       came   into effect on 25 May 2018, Marriott adequately prepared the
       Starwood    systems    to protect   personal   data.  In particular,   i i

       necessary to assess whether the Attack disclosed a failure to ensure
       compliance with Articles 5.1(f) and 32 of the GDPR following its entry

       into force.

The planned integration of the Starwood              and Marriott networks

3.5.   The   integration  of Starwood    into the Marriott   hotels group   began

       following the acquisition. While this involved the transferring of data
       from   the Starwood    systems   to the  Marriott  network,   the  systems

       accessed    by the Attacker    remained   segregated    from  the Marriott
       network.


3.6.   As a result, the Attack did not involve access to the wider Marriott
       network   and the Attacker would      not have    had access   to personal
       data   that  was   processed    only  on   non-Starwood     systems.    The

       planned    migration    and  the   decommissioning      of the   Starwood


1 See, for example, the representations served by Marriott i response to the Commissioner’s Notice
of Intent (“Marriott's First Representatiopara 1.33.
                                                                                18       systems was expedited by Marriott after discovery of the Attack and

       the   decommissioning      of   the  relevant   Starwood     systems    was
       completed    on 11 December     2018.

The   Attack


3.7.    What follows i a summary       of the key stages of the Attack.

        Pre-acquisition infiltration of the Starwood    IT systems

3.8.    The Attacker installed a web shell on a device within the Starwood

        network   on 29 July 2014.       This  device  was   used  to support    an
        Accolade    software   application.   That   application   was    used   by
        Starwood   to allow employees     to request changes to any content of

        Starwood's website.

3.9.    The installation of a web    shell on the server gave the Attacker the

        ability to remotely    access  the system,    therefore  allowing   for the
        accessing   and  editing of the contents    of that system.   This access
        was exploited i order to install Remote Access Trojans (“RATS”)           -

        malware which     enables remote administrator control of the system.
        Administrator   access   allows a user to perform     actions above    that

        permitted   by a normal    user. As a result, the Attacker would      have
        had   unrestricted   access  to the   relevant   device,  and   any   other

        devices on the network to which that administrator account would
        have had access.

3.10.   On   an  undetermined     date,  the  Attacker   installed  and  executed

        “Mimikatz”.   This   i  a post-exploitation     tool  which   allows  login
        credentials   temporarily    stored   i   the  system    memory      to  be

        harvested.    I  scanned    the   server   for  all the  usernames     and
        passwords    stored  i this manner      i the system     and  allowed   the
        Attacker   to continue   to compromise      user  accounts,   which   were

        secured   using a mixture of single and multi-factor authentication.‘
        These   accounts were then used to perform        further reconnaissance

        and,  ultimately,   to run  commands      on  the  Starwood    reservation
        database,   as described  below.


3.11.   On  15 April 2015,    a file named    “Reservation _Room_sharer.dmp”
        was created on a Starwood      device. This file could have been created




1 Marriott’s First Representations, para 1.40 and page 63.
                                                                                 19        by the Attacker with a view to exfiltrating all the data contained       i

        the table at once.®

3.12.   On 21 April 2015, a file named     “Consumption_Roomtype.dmp”         was
        created. This file could   have  been   created  by the Attacker with a

        view to exfiltrating all the data contained   i this table at once.!”

3.13.   On 17 May 2016, a file named “reservation_Room_Sharer.dmp” was

        created. This file could   have  been   created  by the Attacker with a
        view to exfiltrating all the data contained   i this table at once.*®

3.14.   Following Marriott’s acquisition of Starwood,     on 31 December     2016

        or 1 January 2017,1° additional malware which searched devices for
        payment    card  data,  known   as “memory-scraping       malware”,   was

        installed on multiple Starwood Devices. Marriott believes, but cannot
        be certain, that this action was carried out by a different attacker to

        the one   responsible  for the actions   described   immediately   above.
        The memory-scraping      malware    was  executed   on 10 January    2017
        on eight property management        systems,   but the malware    was not

        successful i collecting payment     card data from any of the devices.
        The eight properties   involved were   not in the European    Union.

        Continued   Attack, post-acquisition and following the GDPR        coming

        into force

3.15.   On  7 September     2018,   the Attacker   performed   a “count”   on the
        “Guest_Master_profile”    table, which   would   have told the Attacker

        how many    rows the table contained.

3.16.   This count triggered an alert on the Guardium      system placed on the

        database   (“the  Guardium      Alert”).  Such   alerts were   applied  to
        tables which included card details.2°      The other tables mentioned
        above   did  not  contain  payment    card   information   and  were   not

        protected by Guardium     software. Thus, no alarm could be triggered
        by the actions of the Attacker.






1 Marriott’s First Representations, page 63.
1 Marriott’s First Representations, page 63.
1 Marriott’s First Representations, page 63.
1 Marriott has also provided the alternative date of 1 January 2017 for this installation (see Marriott’s
Second Representations, page 37).
2 “Guardium” i a data protection software produced by IBM.
                                                                                203.17.   The Attacker also exported the “Guest_Master_profile” table into a

        “dmp” file (as had previously occurred i relation to the other tables
        referred to above).

        Discovery and reporting of the breach

3.18.   On  8 September      2018,   Accenture,   the   company    managing     the

        Starwood    Guest   Reservation   Base,   contacted   Marriott’s  IT team
        regarding the Guardium     alert of the previous day. This was the first

        Guardium    alert relating  to the Attack    that Marriott   had  received
        since its acquisition of Starwood.

3.19.   On  10 September     2018, the “PP_Master”      table was exported     to a

        “dmp” file on the Starwood      system.

3.20.   Following  the  Guardium    alert, on  9/10   September    2018,   Marriott

        instigated  its Information   Security and   Privacy Incident    Response
        Plan. On   12 September     2018,   Marriott began   to deploy   real-time

        monitoring   and forensic tools on 70,000      legacy Starwood    devices.
        The purpose    of this measure   was to monitor the local system       and
        identify  potentially  malicious   activity i   real-time,  with   findings

        reported back to Marriott’s central monitoring server.

3.21.   On 15/16 September      2018, Marriott identified further unauthorised

        activity from   7 July   2018,  specifically  the  use  of credentials   of
        Accenture employees.

3.22.   On  17 September      2018,   the  presence   of a RAT     was  identified.

        Marriott took action to contain the RAT, by blocking the command-
        and-control IP addresses used by the RAT.


3.23.   In early to mid-October     2018, the Attacker’s use of Mimikatz      ona
        number of occasions since 2014 was identified, as was the memory-

        scraping  malware,    referred  to i paragraph     3.14.  On   29 October
        2018,   Marriott  contacted    the  United   States   Federal   Bureau   of
        Investigation.


3.24.   On 13 November      2018, two compressed,      encrypted   and previously
        deleted    files   were     identified.   These    files   were     named

        “guest_master_profile”     and “pp_master”.     On  19 November      2018,
        the aforementioned files were decrypted, and i was found that they
        respectively contained    an export of the Guest_Master_Profile       table

        and the PP_Master table.

                                                                                 213.25.   On  22 November      2018,   Marriott  notified the Commissioner      of a
        personal data breach.


3.26.   On   25  November     2018,   Marriott  discovered   that  a file  named
        “Reservation_room_sharer.dmp”        had  been   created  on a Starwood

        device,  and on 26 November      2018,  Marriott identified a second   file
        named   “Reservation_room_sharer.dmp” which had been created on
        a   Starwood     device,    and _ established     that   a   file  mamed

        “consumption_roomtype.dmp”        had also been created.

3.27.   On 30 November      2018, Marriott provided    a follow-up report to the

        Commissioner     regarding   further  personal  data   breaches.   On  the
        same   day,  Marriott  issued  a press   release  about   the Attack   and
        established   a dedicated   Starwood    incident website.   Marriott  also

        began   sending  email  notifications to affected   data subjects on 30
        November    2018.   In the initial email  notification to data subjects,

        Marriott informed them that a dedicated call centre had been set up
        i order to receive complaints. The email notification did not provide
        the telephone   number    for the call centre, however    i did contain a

        link to the dedicated website, which included the telephone number
        of  the  call  centre.   Following   telephone    contact   between    the

        Commissioner’s     office and   Marriott,  the  email   was   updated   to
        include the telephone    number   for the call centre, and Marriott sent
        the revised version on 9 December      2018.2!


4.PERSONAL          DATA     INVOLVED         IN THE FAILURE


4.1.    The  Attacker   appears    to have   obtained    personal   data  i   both
        encrypted   and   unencrypted    forms.  The   unencrypted    information
        included:


        a.   On the “Guest_Master_Profile_table” file: a numerical identifier
             to identify   the  guest,  guest   name,    gender,   date  of birth,

             whether   the guest has been     identified as a VIP, whether     the
             guest i a member of the Starwood       loyalty programme    and their
             account information (“SPG”), mailing address, passport country

             code,  phone   number,   fax  number,    email  address,  and  credit
             card expiration date.





2 Marriott First Representations, page 65.
                                                                                22             On the “reservation_room_sharer_table”:        a central reservation
             confirmation number, a unique numerical room identifier, guest

             name,   SPG   account   information,  whether   the guest has been
             identified   as  a VIP,    a  separate    VIP   code,   5.25   million

             unencrypted    guest passport numbers      (935,000    of which were
             passports associated with EEA member         state records), country
             of guest’s   passport,   arrival  time,  departure    date,  address,

             phone   and fax numbers,    email address,   whether   the guest has
             checked    in, flight  number    and  airline  code,  and   the  total

             number    of guests i the room.

             On    the    “consumption_room_type_table”:           a   reservation

             confirmation   number,    the Guest    Master  profile ID, a unique
             numerical   room   identifier, room  type, number    of child guests,

             number    of adult guests,    number   of cribs used    i the room,
             number of rollaway beds designed for adults and the number of
             rollaway beds designed for children, guest arrival date;


             On the “PP_master_table”:      the passport number record specific

             decryption    key.  Marriott  considers   that   this would    not  be
             sufficient  to  decrypt   the   passport    numbers    as  a master
             encryption   key i also required, and does not appear to have

             been obtained by the attackers.

4.2.    The encrypted    information was as follows:

        a.   18.5 million encrypted     passport  numbers,   4,290,000    of which

             were associated with EEA member        state records.


             9.1  million  encrypted   payment    cards,  873,000    of which   are
             associated with EEA member       state records.2?

4.3.    Marriott’s estimate i that 339 million guest records were affected.

        Of these,   30.1  million were   EEA  records,** of which    7 million are
        associated   with the United    Kingdom.    All data  subjects  who   were

        affected pre-GDPR were also affected by the actions of the Attacker
        post-GDPR,    as the   entire   contents   of the  affected   tables  were
        exported    to “dmp”    files  on  the   Starwood    system    each   time.


2 Marriott’s First Representations, page 65.
2 Marriott’s First Representations, page 65.
2 Marriott’s First Representations, page 65.

                                                                                 23        However,    the  specific  personal  data   involved   differed  between
        individual data subjects.


5. PROCEDURE


5.1.   This section summarises      the procedural steps the Commission       has
        taken. The Annex     to this Penalty Notice provides a more      detailed
        chronology.


5.2.    Marriott notified the Commissioner     of the Attack on 22 November
        2018.  In response,  the Commissioner     commenced     an investigation

        into the incident. That investigation included various exchanges with
        Marriott and considering detailed submissions and evidence.

5.3.    On 5 July 2019, the Commissioner       issued Marriott with a Notice of

        Intent to impose    a penalty,  pursuant   to section   155(1)  DPA   and
        Schedule   16 of the DPA    (the “NOI”).    The  proposed   penalty was

        £99,200,396.00.

5.4.    Marriott made   written representations   in response  to the NOI on 23
        August  2019,   which  are referred   to i this Notice as “Marriott’s

        First Representations”.     Marriott did not request an opportunity to
        make  oral submissions.


5.5.    Between   August and October 2019, Marriott and the Commissioner
        exchanged   correspondence    about a number     of issues, including (a)
        the  application  of the  Commissioner’s     Draft  Internal  Procedure,

        which   i  discussed    further  below;   (b)  the   application   and/or
        operation  of the Article   60  GDPR    consultation   process;  and   (c)

        Marriott’s request for further opportunities to make     submissions    or
        representations prior to and during the Article 60 process.

5.6.    In a letter dated 6 December    2019, the Commissioner:


        a.   confirmed that she no longer intended to exercise her discretion
             to convene the Panel;


        b.   confirmed that the Draft Internal Procedure would not be taken
             into account  in setting any penalty imposed    on Marriott, having

             considered  the detailed representations     Marriott had made    on
             this issue i its First Representations. The letter confirmed that

             the Commissioner would continue to apply the EU and domestic

                                                                               24             legislative framework i conjunction with the Regulatory Action
             Policy;


        c    outlined   how   the  Article  60  consultation    process   would   be

             conducted    i this case; and

        d.   agreed    to  give   Marriot   the   opportunity    to  make _ further

             representations on the Commissioner’s draft decision i Marriott
             agreed   to extend    the six-month     period  for the issuing    of a

             penalty notice prescribed i paragraph        2 of Schedule    16 of the
             DPA. The Commissioner        proposed   a new deadline of 31 March
             2020.


5.7.    The   Commissioner’s     position   on  these   issues  was   informed,    i
        particular,    by     careful    consideration      of    Marriott’s    First

        Representations.         Given    the   length    and    detail   of   those
        representations     and   the  overall   complexity    of the   case,   that
        consideration   took time and     considerable   resources.   That  process

        also resulted in changes     and clarifications to the form and content
        of the draft decision.


5.8.    The Commissioner      was also especially mindful of the fact that she
        acted as lead supervisory authority pursuant to Article 60 GDPR            i
        this case, and that i was therefore important that her investigation

        and   decision  be as comprehensive        as possible,    since  the  draft
        decision   must    be   submitted     for  the   consideration    of   other

        supervisory authorities pursuant to Article 60(3).

5.9.    Although   not required   by law, the Commissioner       considered   that a
        further   opportunity    for  Marriott  to   make    representations    was

        appropriate,   provided    that  an  agreement     could   be  reached    on
        extending   the statutory timetable     having   regard,  i particular, to:
        (   the complexity    of the case, (ii) Marriott’s representations,      and

        (iii) the fact that this i one of the first major decisions made      under
        the new EU data protection regime.


5.10.   Following    further   correspondence,      Marriott   confirmed     on   17
        December    2019   its agreement   to a statutory extension   of time to 31
        March   2020.   On  20 December      2019,   the Commissioner      provided

        Marriott with a draft decision, and    invited i to make    further written
        representations and to provide any other relevant evidence i wished

        the Commissioner     to take into account.
                                                                                  255.11.   On  31 January    2020,   Marriott  provided   further  detailed  written
        representations   on the Commissioner’s     draft decision (“Marriott’s

        Second   Representations”).

5.12.   On   12   February   2020,    the  Commissioner      wrote   to  Marriott
        requesting further information and documents which arose from her

        consideration of the Second    Representations.

5.13.   In  the   light  of  the   length   and   complexity    of  the   Second

        Representations,   on 13 February 2020 the parties agreed a further
        statutory extension   of time until 1 June 2020.

5.14.   Between   28 February 2020 and 28 April 2020, Marriott provided the

        Commissioner     with  the   information   she  had   requested    on  12
        February 2020.

5.15.   On 3 April 2020 the Commissioner       invited Marriott to make   further

        representations specifically i respect of the financial impact on its
        business  caused   by the Covid-19     pandemic.    Marriott  provided   a
        response  to this request on 17 April 2020.


5.16.   Due to the impact of the Covid-19      pandemic,   on 17 April 2020 the
        parties agreed  a further statutory extension of time for the issuing

        of a penalty notice to 30 September     2020.

6. CIRCUMSTANCES              OF THE FAILURE:            BREACHES


Marriott’s failures

6.1.    The Commissioner’s conclusion i that between        25 May 2018, when
        the GDPR   entered  into force, and 17 September    2018, Marriott failed

        to comply   with its obligations under Article 5(1)(f) and Article 32
        GDPR.   Marriott failed to process    personal  data  i a manner     that

        ensured   appropriate    security   of  the  personal    data,  including
        protection against unauthorised    or unlawful processing and against
        accidental loss, destruction or damage,     using appropriate technical

        and  organisational   measures    as required    by Article  5(1)(f)  and
        Article 32 GDPR.

6.2.    This section describes the specific failures to comply with the GDPR

        that the Commissioner     has found   and   responds  to Marriott’s First
        and Second    Representations   on the Commissioner’s      NOI and draft
        decision.

                                                                               26        The  relevant standard

6.3.    As set out above, Article 5 GDPR       requires that personal data shall

        be processed    in a manner    that ensures appropriate security of the
        personal data, including protection against unauthorised or unlawful

        processing and against accidental loss, destruction or damage,        using
        appropriate    technical    or  organisational     measures.     The   data
        controller, in this case Marriott, i responsible for, and must      be able

        to demonstrate compliance with, that requirement.

6.4.    Article 32 GDPR    concerns the security of processing       personal data

        and,   taking   into  account   the   state  of the    art,  the  costs   of
        implementation     and  the nature,    scope,  context   and   purposes   of
        processing as well as the risk of varying      likelihood and severity for

        the rights and freedoms     of natural persons, requires a controller to
        implement    appropriate    technical  and   organisational   measures    to
        ensure   a level of security   appropriate   to the risk. Such   measures

        may include encryption of personal data and a process for regularly
        testing, assessing and evaluating the effectiveness of such technical

        and organisational measures.2°

6.5.    Not every instance of unauthorised      processing or breach of security
        will necessarily amount     to a breach   of Article 5 or Article 32. The

        obligation under Article 5 GDPR       i to ensure appropriate     security;
        the obligation under Article 32 i to implement appropriate technical

        and   organisational   measures    to ensure    an   appropriate   level  of
        security,  taking   account   of the   state   of the   art, the   costs  of
        implementation     and  the nature,    scope,  context   and   purposes   of

        processing, as well as the risk to the rights of data subjects.

6.6.    When   considering whether there has been a breach of the GDPR and

        whether   to impose     a penalty,   the Commissioner      must   therefore
        avoid   reasoning   purely  with  the   benefit  of hindsight.   The  focus
        should   be on the adequacy      and  appropriateness    of the measures

        implemented     by the data controller, the risks that were       known   or
        could reasonably have been identified or foreseen, and appropriate

        measures    falling within Article 5 and/or Article 32 GDPR      that were
        not, but could and should have been, i place.





2 See also Recitals 76, 77 and 83 GDPR.
                                                                                  2/6.7.    Having   carefully  examined    the  available  evidence,    including  the
        evidence     and    submissions      from     Marriott    and     Marriott’s

        Representations,    the  Commissioner      i satisfied   that  there  were
        multiple failures by Marriott to put i place appropriate technical or

        organisational    measures     to  protect   the   personal   data   being
        processed on Marriott’s systems, as required by the GDPR

6.8.    The NOI and draft decision identified a number of failures by Marriott

        to put i    place  appropriate   security  measures.    Following   careful
        consideration of the detailed representations received from Marriott,

        four principal failures by Marriott are now the subject of this Penalty
        Notice, which   are outlined  below.

        Preliminary issue: revised scope of the findings made

6.9.    In the NOI   and  the draft decision,  concerns   were   raised in relation

        to the gaps which the Attack identified i the application of multi-
        factor   authentication    (“MFA”)    within    the   relevant   Starwood

        network. The Attacker was able to access the Starwood          Cardholder
        Data   Environment    (“CDE”)    because   MFA   was   not applied   to a
        accounts and systems with access to the CDE.


6.10.   Marriott has explained that:

        a.   i believed that MFA was i place across the CDE because i had

             received   assurances    from   Starwood’s    management       to this
             effect;2° and


        b.   this belief was    corroborated   by two    Reports  on Compliance
             (“ROCs”),    issued  by independent     PCI DSS?’   assessors   on 29
             April   2016    (pre-acquisition)    and   23    May    2017    (post-

             acquisition),  which   stated  that MFA   was   i place for anyone
             requiring access into the segmented       CDE   and was enabled     on

             the jump-server v    ia                          2° Marriott placed
             particular reliance i its representations on 23 May 2017 report.

6.11.   Having considered, i particular,     Marriott’s Second   Representations

        i response    to the draft decision,*? the Commissioner        i satisfied
        that  Marriott  did  not breach    its obligations  under   the GDPR     by


2 Marriott’s First Representations, para 1.40(a).
2 Payment Card Industry Data Security Standard (“PCI DSS”).
2 Marriott’s First Representations, para 1.40(b).
2 Marriott’s Second Representations, paras 3.2 - 3.7 and 3.20-3.24.
                                                                                 28       relying upon the ROCs   (in particular, the ROC issued i May 2017)
       issued by the PCI DSS assessors to conclude that access to the CDE
       was   protected   by  MFA   (albeit  erroneously).  The   incomplete
       implementation   of MFA  i not therefore the subject of this Penalty

       Notice (and consequently   was  not taken  into account i assessing
       the appropriate penalty).

       The four principal failures

6.12.  Taking  into account  the representations   made  by Marriott,*° the
       following four principal failures are the subject of this Penalty Notice.

       (1)   Insufficient Monitoring of Privileged Accounts

6.13.  As explained  above, the Attacker was able to obtain access to the

       CDE   by exploiting an unknown   gap  i the scope   of application of
       MFA.  This failure to secure the ‘outer ring’ of the CDE   i not the
       subject of this Penalty Notice. Instead, i i of concern that once the

       Attacker  gained  access  to the   CDE,  appropriate  and  adequate
       measures   were  not i place to allow for the identification   of the
       breach   and  to prevent   further unauthorised   activity (including
       further unauthorised   processing  of personal  data). This  concern

       arises first i respect of Marriott’s failure to put i place appropriate
       Ongoing   monitoring   of  user   activity, particularly activity  by
       privileged accounts.


6.14.  Marriott had itself determined that there was insufficient monitoring
       o p rivleged u sr a ccount|

       Whilst  Marriott did deploy  a Security  Operations  Centre  (“SOC”)

       P      E     ,             this was insufficient for the reasons given
       at para 6.23  below.

6.15.  The  National Cyber  Security  (“NCSC”)  guidance,  published  on 17

       November   2018, entitled “10 Steps to Cyber Security: Guidance on
       how organisations can protect themselves in cyberspace,     including
       the 10 steps   to cybersecurity",  lists “monitoring” as one  of the
       relevant steps. I explains the importance of monitoring to detecting




3 See,for exampleMarriott’s SecRepresentationparas2.2(b)-(c3.1(b)3.8-3.13and
3.25-3.29.
                                                                   ee
                                                                          29        or  responding    to  attacks   which   have   already   taken   place   or
        commenced:


            Detect    attacks: Either    originating    from     outside’   the
            organisation or attacks as a result of deliberate or accidental
            user  activity.  Attacks   may    be  directly  targeted   against
            technical infrastructure   or against   the services   being   run.

            Attacks   can  also  seek   to  take   advantage    of legitimate
            business services, for example by using stolen credentials to
            defraud payment services.

            React to attacks: An effective response to an attack depends

            upon  first being aware    than an attack has happened        or is
            taking place. A swift response is essential to stop the attack,
            and to respond and minimise the impact or damage          caused.

            Account    for   activity: You    should     have    a   complete
            understanding of how systems, services and information are

            being used by users. Failure to monitor systems and their use
            could lead to attacks going unnoticed and/or non-compliance
            with legal or regulatory requirements.?2

6.16.   The  NCSC   guidance   also explains that monitoring     activities should

        include,  inter alia,   the  monitoring    of network    traffic and  user
        activity. This NCSC   guidance builds upon earlier guidance published
        by the NCSC    which i to similar effect. See, for example, the NCSC

        guidance entitled “Introduction to identity and access management”
        published i January 2018?       which refers to: (a) “basic principles to

        follow when    designing  user access    management”;     and   (b) “basic
        architectural good practice when designing and administering access
        management     systems”.   Such  basic principles and practices include

        “operations   and    monitoring    -  the   supporting    processes    and
        technology to identify and enable investigation of breaches of policy

        or controls”. The guidance explains that:

            Given  the high value to an attacker of compromising          your
            identity and   access  management      systems    they should    be
            given priority for security maintenance.    This means, amongst

            other things, prompt    application   of security patches   across
            your   estate   (or  otherwise    mitigating    security   issues),
            practicing good   user and privileged user management,         and



3   https: //www.nesc.gov.uk/collection/10-steps-to-cyber-security ?curPage=/collection/10-steps-
to-cyber-security/the-10-steps/monitoring
3 https: //www.ncsc.gov.uk/quidance/introduction-identity-and-access-management
                                                                                30            applying   appropriate   protective  monitoring.   Additionally,  we
            recommend:


           e designing     your   access   control   systems    to allow   for easy
               monitoring of account usage and accesses
           e being able to tie all user actions in the system to the user that

               performed them...”

6.17.   Both examples     of NCSC   guidance detail the basic need for multiple

        security techniques,    processes and technologies      i order to secure
        systems.    Accordingly,    Marriott ought   to have   been   aware   of the

        need   to have    multiple   layers   of security   i   place  i   order   to
        adequately    protect  personal   data. Although     Marriott  had  assured
        itself that i had    MFA   i place** (which,     as explained   above,   the

        Commissioner     accepts that Marriott did), and had certain additional
        security measures     i place, this was not sufficient. Marriott ought to

        have   had  i  place  better monitoring     of user activity to aid i the
        detection of an attack, as an additional layer of security.

6.18.   A forensic    report  into  the   incident,  dated   11  April  2019,    was

        commissioned     by Marriott and    prepared   by Verizon    (the “Verizon
        Report”).    I  notes   that  Marriott   had   not  configured   logging   i

        respect of “access to systems and/or applications within the CDE.”?°
        Marriott  did   have  the   results  of the   ROCs   and   its own   annual

        penetration     tests.   However,      these    did   not    evaluate’   the
        appropriateness    of the way    i which   Marriott monitored     (including
        through   logging) the Starwood      system   or the configurations     used

        for any such monitoring     (including logging).   Logging configurations
        are not within the scope of these tests. This i not a criticism of the

        ROCs or the penetration tests themselves.        Rather i reflects the fact
        that Marriott   ought   to have   taken   steps  to irmplement    measures
        which would identify vulnerabilities which the ROCs and penetration

        tests   would     not   identify.   Such    steps    would     include   the
        implementation     of effective     monitoring   (including   logging)   and

        alerts as part of Marriott’s wider security measures.       This i the gap
        identified by the Verizon Report.

6.19.   In  this  case,   appropriate   monitoring    would    have   included   the

        appropriate    logging   of  user   activity,  especially   i   relation   to
        privileged users. The logging of user activity once within the CDE, i


34 Contrary to, for exampara 3.6 of Marriott’s SecRepresentations.
3 Verizon Report, page 18.
                                                                                  31        addition to the logging done by the Guardium        software, would have

        aided i the detection of unusual account activity (such as where, i
        this case,   the Attacker    regularly  utilised legitimate   accounts   to
        perform unauthorised user activity within the CDE). Marriott's failure

        to log user activity i this way was inconsistent with its obligations
        under the GDPR.


6.20.   Marriott states that “no amount      of logging would necessarily have
        identified an attacker unless the attacker operated from an identified
        suspicious IP address,    which is not the case in this matter.’*© I i

        right to say that no security      measure    “would   necessarily”  work,
        there  being   no  guarantee    that  any   security  measure    i wholly

        effective. I i also true that i i harder to detect an attacker who i
        not  operating    from   a suspicious    IP address.    However,    this  i

        precisely why the monitoring of legitimate user accounts (including
        through  logging)  within the network   for unusual   activity i vital. This
        i recognised    by the NCSC,    which states i relation to monitoring:

        “these solutions should provide both signature-based capabilities to
        detect known    attacks, and heuristic capabilities to detect unusual

        system behaviour".?’

        (2)    Insufficient Monitoring of Databases

6.21.   In addition to the insufficient monitoring     of user accounts    and the
        user activity linked to those accounts, Marriott failed to adequately

        monitor    the  databases    within   the  CDE.    In  this  respect,   the
        Commissioner     i concerned     by the    following  three  failures:  (a)

        deficiencies i Marriott’s setup of security alerts on databases within
        the CDE;   (b) the failure to aggregate logs; and (c) the failure to log

        actions taken on the CDE      system, such as the creation of files and
        the exporting of entire database tables.

6.22.   Marriott deployed   IBM Guardium     to monitor activity on the database

        within the CDE. As configured      by Marriott, IBM Guardium      had two
        functions.  First, i logged   activity (such as efforts to create, read,

        update, or delete data within a database). Secondly, i issued alerts
        i certain circumstances.     The problems with the approach       adopted
        are as follows.




° Marriott’s Second Representations, para 3.39.
3 NCSC “10 Steps to Cyber Security” Guidance, dated2018:ovember
https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps/monitoring
                                                                                 326.23.   With respect to logging, there were two main problems:

        a.   First, whilst Marriott had a security incident event management

             system (“SIEM”) and a SOC to collect the logs being generated
             by the system, Marriott did not ensure sufficient logging of key

             activities such as user activity or actions taken on a database.
             The insufficient logging rendered the SIEM and SOC ineffective.
             Marriott also insufficiently logged i other areas of its network,

             such as firewall and access logs.


        b.   Second,    Marriott  did  not engage    i    server   logging  of the
             creation   of files  (or  alternatively   i did   not  use   the  IBM
             Guardium     software   i   a similar   way),   which    allowed   the

             Attacker to export entire databases to ‘dmp’ files undetected.
             Such logging i likely to have been feasible for Marriott as such

             mass export of data does not regularly occur within the normal
             course of business so as to generate        an unhelpful   number   of
             false-positives.  This form   of logging   on the system,     and  the

             evaluation of the created     logs, could have enabled     Marriott to
             detect unexpected     activity within the CDE.


6.24.   In response to the concerns raised, Marriott has referred to its use
        of Proventa and McAfee’s IntruShield (two systems which generate
        and aggregate logs).*® These are not, however, sufficient to address

        the risks faced by the Starwood      network.   McAfee’s Intrushield aids
        in the   detection   of zero-day,    DoS   attacks,  spyware,    malware,

        botnets and VoIP threats, while Proventia operated         as an intrusion
        detection system.    Like Proventa, IntruShield     does not address the
        shortcomings     identified  above,   namely    the   failure  to  monitor

        database activity and user actions on network devices.

6.25.   Marriott stated   i its First Representations,    and the Commissioner
        agrees, that such logging would not have prevented the Attack i of

        itself, but “merely informs a response once the system         operator is
        aware   of the malicious     activity”.7°  However,    regular  and   close

        monitoring   and evaluation of logs can assist i the early detection
        of attacks, their mitigation,    and the prevention     of future attacks.
        That Marriott did not detect the Attack until alerted by Guardium         i




3 Marriott’s Second Representations, para 3.40.
3 Marriott’s First Representations, para 1.61.
                                                                                 33        indicative of Marriott failing regularly to test, assess, and evaluate
        the effectiveness of its security measures.


6.26.   With   respect  to the Guardium      alerts, the   problem   was   that the
        circumstances     i  which   IBM   Guardium     would   issue  alerts  were

        limited i a way which undermined        its ability to detect unauthorised
        activity within the databases.

6.27.   In particular,   alerts  were   only  placed   on  tables  that  contained

        payment    card  information,   and  only specific queries    (where   table
        names    were   directly  referenced,   such   as i   a count)    triggered

        warnings i the system. Although the database as a whole did have
        some    protection   from   Guardium,*2      the  known    actions   of the
        Attacker prior to 7 September      2018 did not meet the conditions for

        the triggering   of an alert.*4   Marriott   has  explained   that  specific
        alerting  rules  and  tables   were  chosen    i order   to reduce    false-

        positives.  However,    this explanation     i insufficient  to justify   an
        approach    where   only tables   including    payment    card   data  were
        placed   within  the  scope   of Guardium     rules.  Marriott’s  focus   on

        payment     card   information    illustrates  a   failure  to  implement
        appropriate   technical   and  organisational    measures    to ensure    an

        appropriate level of overall security for all other personal data.

6.28.   A risk-based approach     was required    i this case (as acknowledged
        i para 1.45 of Marriott's First Representations).      Payment card data

        i likely to be the highest risk category,      and the tables containing
        payment    card  data   could  therefore   warrant   higher  security than

        other tables depending      on the sensitivity of the other data       held.
        However,    while a risk-based    approach   may   require payment     card
        data   to have   additional   security  alerts,  this does   not justify   a

        complete    lack of alerts on tables containing      other  personal   data.
        Moreover, the other data held may vary i its sensitivity, requiring
        different  security  measures    to be applied     to the tables/relevant

        processing.

6.29.   Marriott stated that i reasonably assumed,       based upon the PCI DSS

        testing results, that the Guardium     alerts i respect of the CDE were
        appropriately configured.*2 However,       the PCI DSS    tests concerned


40 Namely i terms of detecting unauthorised access based on IPs or failed login attempts, which the
Attacker i this incident bypassed through comprouser credentials.
+ As confirmed by Marriott in its correspondence dated 20 D2018, page 6.
4 Marriott’s First Representations, paras 1.43-44.
                                                                                  34        the perimeter    defences   against  an attack   rather than   monitoring
        systems   concerned    with    the detection   of an attacker    who   had

        already   penetrated    the   CDE.    The   tests  did   not  assess    the
        appropriateness of the discriminatory application of the alerts across

        the CDE segment, nor what this meant for the security of categories
        of personal data stored i tables which did not contain payment card
        information.   They    do   not,  therefore,   provide    the  reasonable

        assurance which Marriott claims.

6.30.   Finally,  Marriott  suggested    that   because   i believed     MFA   was

        implemented     across  the CDE,    this rendered    its reliance  on that
        authentication    tool   and   the   Guardium     alerts   as _ configured
        reasonable and therefore i compliance with Articles 5(1)(f) and 32

        GDPR.   This  i not accepted,    monitoring   (including  logging)   of the
        types discussed    i paras 6.13 to 6.29 above      are standard    security

        measures.   Control of access through    MFA does not displace the need
        for adequate   monitoring   (including logging) of activities that assist
        i detecting a breach once i i i train (see paras 6.15-6.17 above).

        (3)   Control of critical systems


6.31.   As  discussed   at paragraphs     6.13-6.30   above,   Marriott   failed to
        ensure   that the actions taken     on its systems    were   appropriately

        monitored.   In addition to the use of monitoring and security alerts,
        i would   have been appropriate for Marriott to implement        a form of
        server  hardening    as a preventative     measure,    which   could  have

        prevented    the   Attacker   from   gaining   access   to  administrator
        accounts and performing      reconnaissance before traversing across a
        network.


6.32.   In particular, the implementation     of whitelisting i one way   in which
        Marriott could   have  performed    server hardening.    Whitelisting  i a

        form of programming     which only allows certain users or IP addresses
        to access certain systems or software, as required for their specific
        role. I i important i reducing attack surfaces and reducing the risk

        of attackers being able to traverse through a network after gaining
        entry to a single user account.


6.33.   Whitelisting   should   be  deployed    where    appropriate    on  critical
        systems, and those systems which have access to large amounts            of
        personal data. The NCSC Guidance states that: “you should develop

        a strategy   to remove     or disable   unnecessary    functionality  from

                                                                                 35        systems.”*? Whitelisting i also described        i NCSC    Cyber Essentials

        guidance as a defence against malware.** This supports advice given
        i earlier guidance by NIST. In October 2015 NIST published a guide

        to whitelisting    which   shows   how   whitelisting   can   be utilised  to
        prevent    unauthorised    software from    being installed on a device.*°
        In  this   incident,  whitelisting   could   have   aided    i   halting  the

        reconnaissance and privilege escalation stage of the Attack.

6.34.   There are many forms of whitelisting. Binary software whitelisting i

        a form of access control where only authorised software and scripts
        can be installed on a given system or user areas. For example, only

        allowing pre-approved software such as Microsoft Word and Outlook
        to be installed on work laptops.     This can be distinguished from other
        forms of whitelisting, such as the process by which only authorised

        IP addresses can gain access to network resources.*© Whilst i i not
        possible   to list the devices   i   relation to which    whitelisting  could

        have    been   appropriate,    at  a minimum       whitelisting   would    be
        expected    on:  (a) devices   which   could  be remotely     accessed;   (b)

        devices   which   store large amounts      or, or sensitive categories     of,
        personal   data;   (c) any   other  systems    which   Marriott  regards   as

        ‘critical’ to their network    operations;   (d) any   POS   terminals   at a
        property level; and any other devices which         process payment      card
        transactions.*”? The   implementation     of binary software     whitelisting

        would   — i correctly implemented       - have  prevented    the installation
        and execution    of a RAT. While i i true that the RAT was installed

        and executed on the system both pre-acquisition and pre-GDPR, and
        was therefore    not attributable to Marriott, the continued      absence   of

        whitelisting   post-GDPR     left the  systems    for which    Marriott  was
        responsible vulnerable to further RAT installations and executions.

6.35.   Marriott   stated  i   its First Representations     that  binary   software

        whitelisting was rarely implemented       by companies at the time of the

 See https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps
44 NCSC Cyber Essentials GuidancRequirements for IT infrastructure (dated April 2020):
https ://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure.pdf (pages 10-
11, under the heading “MalwaProtection”). This language was also included i the now archived
version of this guidance, which dated from January 2015:
https: //webarchive. nationalarchives. gov.uk/20150605225501/https://www.gov.uk/government/pu
blications/10-steps-to-cyber-security -advice-sheets/10-steps-secure-configuration--11
45 https: //nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf (dated October
2015). See, i particular, section 2.1 on page 2.
4 See para 1.52 of Marriott’s First Representations.
47“Protecting Point of Sale Devices from Targeted Attacks” (Microsoft), dated 1 April 2014.
https://download. microsoft.com/documents/en-us/Protecting_Point_of_Sale_Devices-
April_2014.pdf. See, i particular, page 5.
                                                                                   36        incident,   because    i places    a heavy     burden   on   IT systems.*®

        However,    binary  software   whitelisting   was  a well-recognised     and
        established security practice for some       time before the GDPR      came

        into force,   and  certainly  by that date. The      NCSC    Guidance    lists
        whitelisting (“prevent unknown       software from being able to run or

        install itself...") as a “Cyber Essential”. That guidance was published
        in October   2015,   and  therefore  pre-dates   the GDPR.*°    In addition,

        there i guidance     published   by the National Institute of Standards
        and Technology (“NIST”), which recognises whitelisting as a better
        option than anti-malware.°° The NIST Guidance was published                i

        2015,   and therefore    significantly pre-dates   the implementation      of
        the GDPR.


6.36.   Marriott also stated i its First Representations that binary software
        whitelisting could be circumvented       by attackers ‘side loading’ RATS

        by using legitimate executable      code.>! Whitelisting,   like all security
        measures,    cannot   be entirely  resistant to attack.   However,    where

        side-loading did take place i the Attack, that appears to have been
        because    Marriott’s   systems    vaguely    or  improperly    specified   a

        dynamic-link    library (DLL) which allowed such side-loading to take
        place.°* Whilst Marriott i right to suggest that these are risks which
        cannot be fully eliminated from any third-party software,>? this only

        highlights the fact that Marriott ought to have carried out regular
        audits,   updates    of  software    and   restricted  file  and   directory

        permissions. The existence of outdated/obsolete software i also an
        issue noted i both the 2017 and 2018 PCI DSS            Reports, and these

        could have been mitigated by properly reacting to issues discovered
        i the penetration tests.


6.37.   In any event, no single security measure        can fully protect a system
        against attack or compromise.        I would   have been appropriate for

        Marriott to have implemented      a ‘defence i depth’ strategy, of which
        whitelisting could   play an important     role, i order to protect their
        systems    against  attack   and  monitor   activity on their network      i



4 Marriott’s First Representations, para 1.53.
4 See: https: //www.ncsc.gov.uk/information/reducing-your-exposure-to-cyber-attack
5  See:  https://www.ncsc.gov.uk/information/reducing-your-exposure-to-cyber-attacthend
reference to “whitelisting and execution control - preventsoftware from being able to run
or install itself.”
5 Marriott’s First Representations, para 1.53.
allow side loading to take place.echniques/T1for an explanationof the vulnerabilities that
5 Marriott’s Second Representations, para 3.31.

                                                                                  37        order to promptly     mitigate   any unauthorised     or malicious    actions

        that managed     to bypass their security controls.

6.38.   The   measures    discussed   above   are readily available     and   mature
        solutions (i.e. solutions that have been known        about i the industry

        for a long period    of time), which    are appropriate     and  could  have
        been   implemented     by Marriott,   to the extent     necessary,   without

        entailing excessive cost or technical difficulties. However,        i i only
        suggested     that   whitelisting    (or  equivalent     server   hardening
        measures which would limit the functionality of systems to only that

        which   i required of them)     could be appropriately deployed        on (a)
        critical systems which attackers may target whilst looking to access

        other, sensitive areas of the network,        or (b) systems    which   could
        access    other    (separate)    systems     containing     personal    data.

        Therefore, i would be appropriate to implement a server hardening
        measure     across    devices   with   access    to  the   CDE,    the   CDE
        environment    itself and any other network devices that could access

        either large quantities or sensitive categories of personal data.

        (4)    Encryption

6.39.   Payment    card   data  and,  i some     cases,  passport   numbers,    were

        encrypted     by   Marriott   using   AES-128,     an   industry    standard
        encryption   algorithm.   Oracle databases     (the Starwood     reservation
        database included tables stored i an Oracle database) provided the

        functionality to encrypt table entries in this way, and i was Marriot’s
        responsibility to ensure this was configured correctly.


6.40.   However,    i keeping    with Marriott’s focus on PCI DSS       compliance,
        encryption was not applied to other categories of personal data. The

        Commissioner      i   particularly   concerned     that   not  all  passport
        numbers    were encrypted.

6.41.   In its First and Second    Representations,     Marriott stated that i had

        adopted    a mature    and   risk-based   approach   to cyber    security  by
        targeting   its security  efforts on the tables     containing    cardholder

        information.**    In support    of its position,   Marriott  relied  upon   a
        selective   quotation    from    the   NCSC     Guidance     i   its  written





54 Marriott’Representations,para 1.27 and  1.63,see also para 3.45 of Marriott’Second
Representations.
                                                                                   38        submissions.   However,   the Commissioner     notes that the full quote
        provides as follows:


             In some   scenarios, the use of encryption     to protect bulk data
             should be the norm.     For example,    where   data is transmitted

             over the internet, stored on a laptop, or stored on removable
             media.  However,    encryption relies on good key management,
             and in some    scenarios i is challenging to engineer a solution

             which makes    meaningful use of encryption to protect personal
             data. This is sometimes    the case in systems    which are always

             online, where   data needs    to be available to query. In these
             scenarios,    your   systems    architects   and   designers     will
             need to think carefully about how encryption can be used

             in a meaningful     way.”

6.42.   However,   Marriott  has  not provided    any  risk assessments     which

        demonstrate the evaluative judgement i arrived at and the rationale
        for its approach to the encryption of personal data. On the contrary,
        Marriott has taken an inconsistent approach by encrypting some but

        not all passport   numbers.   In addition,   while  i may   be true that
        cardholder   information   i of higher   risk than  other categories    of

        personal  data, this does not vitiate the risk to other categories of
        personal data. Thus, while the NCSC      guidance quoted     above, does
        not say that Marriott i required to implement encryption across all

        personal  data,  i does   require Marriott to explain why     i chose   to
        selectively encrypt data.°® Even i Marriott reasonably believed that

        the CDE   was  protected   by MFA,   i was   aware  - or ought to have
        been aware - that no system      i fully secure.>’

6.43.   Marriott, i its First Representations, also claimed that i would have

        been  impractical for i to have encrypted      any more    personal  data
        than i did.°° However     a number   of methods    exist to facilitate the
        identification of the user to which    a piece of data    refers, so that

        decryption   of personal    data  can  take   place  quickly  and   when
        necessary.   One  method    i through   the use of a unique     identifier

        (such  as an   UUID),   which   can   aid i   querying   and  decrypting
        individual pieces of data associated with individual customers where
        required  i   almost   real-time.  There  are  also  Hardware    Security


° See: https://www.ncsc.gov.uk/collection/protecting-bulk-pers(emphasis added).
5 Marriott’s Second Representations, para 3.46(c).
5 Marriott’s Second Representations, para 3.46(b).
5 Marriott’s First Representations, para 1.27(b).
                                                                               39      Modules which Marriott could have utilised, encrypting data i near
      real time at its source and decrypting i at its destination.

6.44. In additionthe level of security that the encrcouldnhave
      achievedwas compromisedwithin the Starwooguest reservation
      databaseby a script, developby Starwood,which allowedfor
      AES-128 encrypted entries i a database table to be dec|ypted. |
                                                          ee
                                                          ee
                                                          ee
                                                          ee
      a

                                                    e e
                                               SS
6                                                          ee
      a
      a
                                                          ee
      a
      a

      a
      a
                                                          ee
                                         ee
6                                                         ee
      a
      a

      a
      a
      a
                                                          ee
                              CSC
6                                                          ee
      a

                                                          ee

agrees that i i unlikely that the attacker did run i the attacker sons of times,le the Commissioner
wished, this could have been achieved i very little timeprocess.uld be run as an automated
6 Marriott’s Second Representations, para 3.46(a).          4oOMarriott’s wider arguments


6.48.    In   addition    to  the    arguments      referred    to   above,     Marriott’s
         Representations      raised   a number      of more     general    legal  and/or

         factual arguments. This section addresses the following submissions
         made   by Marriott:


          oy   First, that the Commissioner        had assessed the issue of breach
              without reference to “any clear standards”°! reasoned with the

               benefit of hindsight and      regarded    the fact that the Attack was
              successful    as an    indicator   that the security      measures     were

               inappropriate.°*    Marriott   claims    that  the   Commissioner       has
              applied an “impossibly high standard of care”.°?


          Ss  Second,      that   the  Commissioner       failed   to apply    a holistic

              approach.

          a   Third,     that   the   Commissioner       impermissibly      relied   upon

               Marriott’s  pre-GDPR     conduct,    and   incorrectly concluded      on a
               provisional basis that Marriott had failed to carry out sufficient

              and appropriate due diligence.


          Qo.  Fourth, that the Commissioner          erred i referring to Article 25
              GDPR    i the NOI.®


          @    Fifth, that the Commissioner        erred i reaching the provisional
              view    i the NOI     that Marriott     had   breached    the notification

               requirement under Article 33 of the GDPR.°”


6 Marriott’s First Representations, paras 1.3-1.7.
6  Marriott’sFirstRepresentations, paras 1.8-1.12. See,  to similareffect,Marriott’sSecond
Representations,Executive Summary,  para 3, and para 3.1(b), and paras 3.15-3.18.
6 Marriott’s First Representations, Executive Summapara 1; para 1.2, see also Marriott’s Second
Representations, paras 3.14-3.18.
64 Marriott’s First RepresentatioExecutive Summary,  paras land 5, and paras 1.13-1.15; and
Marriott’s SecondRepresentations, para 2.2(c).
6 Marriott’s First RepresentatioExecutive Summary,  paras 3-4, paras 1.18-1.20 and 1.29-1.37.
6 Marriott’s First Representations, para 1.21.
6 Marriott’s First RepresentatioExecutive Summary,  para 7, and paras 2.1-2.10 and 2.16.
                                                                                        At       f.     Sixth,  that the Commissioner       was  wrong    provisionally to find

              i the NOI that Marriott’s notification to data subjects breached
              Article 34 of the GDPR.®


6.49.   In its First and Second      Representations,    Marriott also advanced      a
        number of points i relation to: (a) the Commissioner’s approach to

        determining whether to impose a penalty; and (b) her methodology
        i calculating the proposed      penalty as set out i the Notice of Intent

        and the draft decision. These arguments are addressed            i Section 7
        below.

        (1) The correct approach/standard


6.50.   Marriott claims that: (a) the Commissioner’s          factual findings were
        inaccurate;    and/or    (b)  the  Commissioner      cannot    maintain    the
        conclusion   that appropriate    measures     were  available that Marriott

        failed to take to remove     and/or mitigate the risk of an attack of the
        kind   which   occurred   i   this case    because   she   had   applied   the

        incorrect standard or approach.®?

6.51.   In the analysis set out above, the Commissioner has clarified certain

        factual  findings   made    i the Notice    of Intent   i the light of the
        submissions     made     by   Marriott   i   both   its  First  and   Second

        Representations, including by, i particular, clarifying her position i
        respect of the incomplete application of MFA.


6.52.   Further,   paragraphs    6.3-6.8 above,    provide an accurate summary
        of   the   position   on   the   relevant   standard     and   set   out   the

        Commissioner’s response to Marriott’s argument that she applied an
        incorrect, unduly high, inappropriate or unclear standard i the NOI
        and/or draft penalty notice. The analysis set out i Section 6 above

        clearly explains the basis for the finding that Marriott failed to put i
        place appropriate     security arrangements      as required   by the GDPR

        by reference to the specific facts of this case. Contrary to the claims
        made    i Marriott’s First Representations, the Commissioner          has not

        applied    a   one-size-fits-all   approach     to   what    measures      are
        appropriate to secure different types of personal data.”°





6 Marriott’s First Representations, paras 2.11-2.15 and 2.16.
RepresentationsExecutive Summary,,para 3.1.3—1.5  and  1.39-1.70; and Marriott’sSecond
7 Contrary to, i particular, paras 1.16-1.17 of Marriott’s First Representations.

                                                                                    426.53.   As the Commissioner      has set out above,    and  as she set out in the

        NOI, there were    a number    of appropriate    measure(s)   available to
        Marriott that an organisation of its scale would     be expected to take
        to secure   its data   operations.   Contrary   to the   claims  made    by

        Marriott,  this Penalty   Notice  (nor the NOI/draft     decision)  do not
        proceed on the basis that simply because the Starwood         system was

        the  victim  of the   Attack,   i follows   that  Marriott  breached    the
        GDPR.’! The reasoning     supporting this Penalty Notice, and the NOI
        and draft decision, does not adopt such a simplistic approach.


6.54.   For   essentially    the   same _ reasons,      contrary    to   Marriott’s
        submissions,’* the Commissioner’s findings do not involve applying

        the benefit of hindsight i an improper manner, or at a         (as already
        explained above). The Commissioner i satisfied that there were four

        distinct weaknesses     i   Marriott’s system    each  of which    Marriott
        ought to have    identified and   remedied,   using one of the range of
        options    available   to    Marriott   (as   discussed     above).    The

        Commissioner     does   not  rely on   the  ‘success’   of the  Attack   as
        evidence that a breach of the GDPR definitely occurred. Instead, the

        Attacker’s   ability  to  exploit  deficiencies   i   Marriott’s   security
        measures,    for  which   remedies    were   available,   discloses  wider
        failures to put appropriate     measures    i place.   In particular,   the

        failure to encrypt all passport numbers      was inadequate. There was
        also a failure to place Guardium      alerts on tables other than those

        which  contained   payment    information, thereby allowing the attack
        to go on undetected for a longer period.


6.55.   At para 1.12 of its First Representations,      Marriott also claims that
        there i no basis for the suggestion that, under the GDPR,          i ought
        to have   identified the type of Attack which      i the subject    of this

        Notice, or carried out any further improvements         on the Starwood
        systems,   because   the system    was   the “victim   of a sophisticated

        attacker, which adopted a multi-vectored approach to its attack and
        was able to circumvent numerous        protections that were in place”.
        However, the sophistication or specific vector of the attack i not the

        relevant focus. A controller has to implement appropriate measures
        to ensure   the security   of its systems.    The   measures    mentioned

        above could have been implemented         using standard   industry tools,
        and could have prevented, detected and/or mitigated the impact of


7 Marriott’s First Representations, §§1.8-1.9.
7 See, i particular, Marriott’s SRepresentations, paras 3.15-3.18.
                                                                                 43        the Attack. What the Attack disclosed was the failure by Marriott to
        put i place appropriate security measures to address attacks of this

        kind and/or other identifiable risks to the system.

6.56.   Furthermore,   Marriott was wrong     to state’? that the fact that the

        relevant Starwood    IT system   was due to be retired shortly means
        that i was   not necessary to put i place the types of appropriate
        measures   identified above   i order to comply    with Articles 5(1)(f)

        and/or 32 GDPR.

6.57.   In particular, Marriott relies on the fact that i originally intended to

        decommission    the Starwood    system   i the first quarter of 2018   i
        response  to the concerns    raised about its security measures.     I i
        important  to note that the intended     decommissioning     was  due to

        take  place approximately    a year and    half after the acquisition  of
        Starwood,   a long period of time during which data continued to be

        processed on the system. In fact, the intended decommissioning        did
        not take place i the first quarter of 2018; the timetable was altered
        such that i was only to be achieved     by the end of 2018. Whilst the

        Commissioner accepts that Marriott could not have known about the
        delay to the decommissioning       timetable  at the outset,’*   i early

        2018  Marriott was aware that the GDPR      was coming    into force and
        that i would    be continuing   to process   data within  the Starwood
        network   for a number    of months    after that.  During  this period,

        appropriate monitoring    (including logging), and alerting tools could
        have  been   implemented    relatively quickly  i order to secure     the
        systems until their decommissioning     at the end of 2018.


6.58.   Many of the measures     identified i the discussion of the 4 principal
        errors above   could  have  been   easily implemented    as part of the

        security improvements which Marriott was already making over this
        period. With  regards to logging, the appropriate      changes   to what
        was i fact being logged could have been made        as part of Marriott’s

        SIEM  and SOC    projects. No additional steps as part of the “general
        IT lifecycle process” would have been required.”°    Similarly, changes

        to the Guardium     alert settings  could  have   been  made   relatively
        quickly  and   easily   when   IBM    Guardium    was    deployed.   The
        appropriate    server    hardening    measures     could    have    been



7 Marriott’s Second Representations, para 3.32-3.36.
7 Marriott’s Second Representations, paras 3.35-3.36.
7 Marriott’s Second Representations, para 3.38.
                                                                               44        implemented    within  6-12  months    (depending   on which   measures
        Marriott selected and how i chose to implement them).


6.59.   The  fact that an IT system     i due to be retired shortly does      not
        disapply the GDPR to the data being processed through that system.

        Marriott  was   still obliged to decide   what   appropriate   measures
        should  be i place i the light of the continued      use of the system.
        While the fact that a system      i to be decommissioned       may   be a

        relevant factor i determining what measures would         be appropriate
        i a given case, this ultimately does not remove the basic obligation

        to put i place security measures      appropriate to the risk posed    by
        the continued processing. This may mitigate against, for example, a
        requirement   that a controller,   even  one   of the size and   scale of

        Marriott, put i place expensive,     state-of-the-art measures,    where
        the system   i to be decommissioned       i the near future. However,

        where   other appropriate   measures    are available without    entailing
        disproportionate   cost or delay, they should    be put i place i they
        are required  to ensure   a level of security appropriate    to the risks

        posed   by continued   processing.   As explained    above,  the specific
        measures    identified i the discussion    of the four principal   errors

        above  are all ones which    could  have  been   put i place i a short
        amount   of time, and which would not have entailed excessive cost.

        (2) A holistic approach

6.60.   The Commissioner has had regard to Marriott’s detailed submissions

        on the security   measures    i had   i place generally,    and  those   i
        implemented     after  its limited  due   diligence   on  the   Starwood
        systems.’©   However,   the investigation   has identified a number     of

        appropriate   measures    or steps  that should    have  been   taken  by
        Marriott to address   the identified security risks within its system.

        The Attack,   and/or  other attacks which    could  have   occurred  as a
        result of the deficiencies   i Marriott’s   systems,   identified  above,
        mean    that,  even   judged    holistically, Marriott’s  technical   and

        organisational  data security arrangements      cannot   be regarded    as
        sufficient or appropriate.


6.61.   The Commissioner     has also considered Marriott’s submissions about
        the improvements      made   to Starwood’s    systems   post-acquisition,
        which   are  said  to   show   that  i engaged      i  appropriate    due



7 See, i particular, para 1.35 and paras 1.39-1.70 of Marriott’s First Representations.
                                                                               45        diligence.’”” However, i i notable that none of those steps identified

        the relevant,   easily detectable,   deficiencies   i Marriott’s security,
        which could have been easily addressed         but were exploited during
        the   Attack.   Marriott’s   submissions     i   this   regard   focus   on

        improvements     i made to its own systems, and which the Starwood
        systems / data would      benefit from when    they were migrated     to its

        network (paras 1.35(b)-(c) of Marriott’s First Representations).        But
        this does not meet the concern that Marriott continued          to use the
        Starwood    system   without   remedying    the clear deficiencies    i its

        security arrangements.     I i clear from Marriott’s Representations’®
        that  only  limited  changes    were   made    to the   Starwood    system

        because   i was    expected   to be decommissioned       sometime    i the
        future.  I i apparent      that these   changes    were   not sufficient to

        address   the   failings described    above   which    should   have   been
        addressed given the ongoing processing that was to take place prior
        to decommissioning.

        (3) Pre-GDPR conduct and due diligence


6.62.   Marriott i wrong to argue that the NOI relied upon Marriott’s failure
        to appropriately secure its systems and the personal data stored on

        them, prior to the period covered by the GDPR. The fact that no such
        reliance was placed on the pre-GDPR conduct was made clear i the
        NOI itself.7?


6.63.   Marriott’s argument    i this regard relies on the claim that any duty
        to undertake a due diligence process i one which would have to be

        discharged   prior to or shortly after acquisition.    Marriott submitted
        that i i not tenable to proceed       on the basis that acquisition due

        diligence i a “seemingly endless” process.®°

6.64.   While the Commissioner accepts that the acquisition of a company /
        data processing operations are a trigger for a controller to carry out

        due   diligence,  either  immediately    prior to acquisition    or shortly
        thereafter, this i not the only trigger point for such activity. The

        need for a controller to conduct due diligence i respect of its data
        operations    i   not  time-limited    or  a ‘one-off’   requirement.     In


7 Marriott’s First Representations, paras 1.15 and 1.30-1.35.
7 See paras 1.34 and 1.35(d) of Marriott’s First Representations and paras 3.35-3.36 of Marriott’s
Second RepresentationsSee also para 6.56 above.
7 Marriott’s First Representatparas 2.4-2.10;see also Marriott’s First Representparans,
1.20.
8 Marriott’s First Representations, para 1.20(a) and (b).
                                                                                  46        particular,  the coming    into effect of the GDPR     was,   for a global
        business like Marriott, a highly relevant factor.


6.65.   Controllers such as Marriott would      have been aware for some      time
        that the GDPR was going to come into effect on 25 May 2018. I was

        incumbent    on such controllers to ensure that their data processing
        complied   with the provisions of EU law from       that date.   However,
        after May 2018 Marriott continued to process personal data using a

        system   that  was   deficient  i   a number     of respects,   and  those
        deficiencies only came to light following the discovery of the Attack

        some   months   later.

6.66.   Given   Marriott’s ongoing   duty to ensure     that the systems     i had
        acquired  from   Starwood   were   GDPR   compliant,   i i no answer     to

        claim that certain due diligence steps were, or only needed          to be,
        taken i the period immediately after acquisition. Controllers cannot

        process personal data without appropriate security measures          being
        i place on the basis that the system was deficient prior to May 2018
        and has not been remedied. Even i adequate due diligence had been

        undertaken at the point of acquisition, that would not have removed
        Marriott’s  obligation   to  ensure,   on  a continuing     basis,  that  i

        complied with the GDPR,     once that Regulation came      into force.

6.67.   Marriott  recognises   this,  but  relies upon   inter alia its PCI    DSS
        assessment     process   as   the  means     by  which    this  continuing

        obligation  was   discharged.®t   However,   PCI DSS    assessments     are
        limited i their ability to detect and mitigate vulnerabilities within a

        network,   for the reasons    given at paragraph    6.29 above.    Rather,
        adequate    and   appropriate    due   diligence  would    have _ included
        reviewing   the   adequacy    of the    monitoring    (including  logging)

        systems within the network.

6.68.   Thus, for the avoidance of any doubt, this decision relates solely to
        Marriott’s failures after 25 May     2018.  The   Commissioner     has not

        issued   a decision   under   the   Data   Protection  Act   1998   (“DPA
        1998”),   despite the historic, pre-2018      nature  of the concerns     i

        respect of the Starwood    system.






8 Marriott’s Second Representations, page 47.
                                                                                 47 () A ticle 25

6.69.  The Commissioner     acknowledges that the NOI, at para 58, included

        an erroneous reference to Article 25 GDPR. This was a typographical
        error. The penalty figure set out i the NOI did not take into account
        any breach of Article 25.

(5) Article 33


6.70.  At the NOI stage, a provisional finding of breach of Article 33 GDPR
       was   proposed.   However,   this finding no  longer forms   part of the
        decision against Marriott.


6.71.   In reaching this decision, the Commissioner     did consider Marriott’s
        claims that ( the Commissioner failed to identify the date on which
        Marriott became   aware  of the breach;®   and (ii) the Commissioner

        misapplied the GDPR   rules on when a controller must be taken to be
        aware of a personal data breach.®?


6.72.   However,   i i not accepted   that the NOI failed to identify the date
        on which  Marriott became   aware of the breach for the purposes of
       Article 33 GDPR. The Commissioner      identified 8 September   2018 as

       the relevant date at para 52 of the NOI: “Marriott had been aware
       of unauthorised access to the Starwood systems since the Guardium
       alert on 8 September 2018... It would have been reasonable at that

       point for Marriott to conclude that personal data was likely to have
       been   accessed   by an unauthorised     party.” The   reference  to the

       “dmp”   files i para   53 of the NOI    cannot  reasonably   be read  as
        referring to the  identification of the dmp    files on  13  November
        2018.4 Rather, this was a reference to the fact that on 7 September

        2018  the Attacker   exported  the “Guest_Master_Profile”    table - a
       table that Marriott knew to contain personal data - into a “dmp’” file.
        Marriott was  alerted to the presence   of the Attacker   by Accenture

        on 8 September   2018, the day after this took place.

6.73.   Marriott was also incorrect to submit that the GDPR     requires a data

        controller to be reasonably certain that a personal data breach has
        occurred   before   notifying  the  Commissioner.     Rather,   a  data
        controller must  be able reasonably    to conclude   that i i likely a



8 Marriott’s First Representations, -2, 3.2.1
8 Marriott’s First Representations, -2.11.2.4
8 Marriott’s First Representations, para 2.1.
                                                                             48        personal   data   breach    has  occurred    to  trigger  the   notification

        requirement under Article 33.

6.74.   Nevertheless,    the Commissioner      took  into account,   i particular,
        Marriott’s explanation that a count can be performed        on a database

        without   any  of the   personal   data   held  on  that  database    being
        accessed, and that Marriott’s position i that i was unaware           of the

        export of the “Guest_Master_Profile” table into a “dmp” file (which
        took place on 7 September       2018)   until 13 November     2018. ® The
        Commissioner has also taken into account Marriott’s submission that

        the   “Guest_Master_Profile”      contained    non-personal     data,   and
        therefore  i was   only with decryption     of that file on 19 November

        2018 that i became      aware of the personal data breach.

6.75.   Thus,   i   this  particular   case,   and   i   the   light of   Marriott’s

        Representations,    the   Commissioner     has  decided   not to make      a
        finding that Marriott breached Article 33 GDPR.

(6) Article 34

6.76.   The  NOI   contained   a provisional finding of a breach      of Article 34

        GDPR.   Marriott submitted    detailed submissions     i response to that
        proposal.®


6.77.   The Commissioner      recognises that Marriott established a dedicated
        website regarding the breach, and issued a press release which was
        widely-reported.®”    Marriott  claims   in its Representations      that  a

        dedicated website and press release would         have been sufficient for
        i to have    discharged    its obligations   under   Article 34.8° This    i

        incorrect.

6.78.   Article 34(1)   requires Marriott to “communicate       the personal data

        breach   to the data   subject”  (emphasis    added).   Where   this would
        involve   “disproportionate    effort”,  Marriott   may    issue  a   public
        communication     or similar measure     (Article 34(3)(c)).   Sending   an

        email to data subjects whose current email addresses are stored on
        Marriott’s systems   i not, on any view, a disproportionate       measure.

        I i a routine commercial activity. This i supported        by the fact that
        Marriott did inform the data subjects, via email, very soon after i


8 Marriott’s First Representations, paras 2.4-2.10.
8 Marriott’s First Representations, paras 2.11-2.16.
8 Marriott’s First Representations, para 2.12.
8 Marriott’s First Representations, para 2.14.
                                                                                  49        identified the breach.   The  Commissioner     accepts  that some    data
        subjects  will not  have   been   contactable   i that way;     the  most

        obvious  example    being  individuals who   had changed    their contact
        details. In these   cases,  i may    have  involved  a disproportionate

        effort to track those individuals down    i order to communicate      the
        breach  and,  for such  individuals,  Marriott will have  discharged   its
        duty by way    of its press release and dedicated    website.   However,

        Marriott  i not   entitled  to rely upon    communications     which  are
        addressed   to the world    at large  (such   as its press   release  and

        website) as discharging    its duties under Article 34(1) i relation to
        all data subjects.

6.79.   The  Commissioner     i accordingly    entitled  to consider    Marriott's

        direct communications      (including  emails)  with  the  affected  data
        subjects  as the   means    by which    Marriott  sought   to satisfy  its

        obligations under Article 34 GDPR.

6.80.   The email sent by Marriot referred to a “dedicated call centre”, this
        being a specific telephone    line set up for affected data subjects to

        contact for further information, but i did not include the telephone
        number. The email, having communicated        the “name” of the contact

        point, did not communicate     the “contact details” of the point where
        more   information  could  be obtained.   While  plainly not deliberate,
        these omissions to some extent undermined       the effectiveness of the

        notification.

6.81.   The  Commissioner    has taken    into account  the fact that the email

        contained a link to the dedicated website, which i turn provided the
        telephone number for the dedicated call centre,®? although the email
        itself did not. On this occasion, and i light of the information that

        Marriott did i fact provide to affected data subjects, this Penalty
        Notice does not include any finding that Marriott breached Article 34
        GDPR.


7.REASONS          FOR IMPOSING          A PENALTY & CALCULATION

   OF THE APPROPRIATE               AMOUNT


7.1.    For the  reasons   set  out above,   the  Commissioner’s    view   i that
        Marriott  has failed to comply    with Articles  5(1)(f)  and  32 GDPR.
        These failures fall within the scope of section 149(2) and 155(1)(a)


8 Marriott’s First Representations, para 2.14(a).
                                                                               50        DPA.   For  the   reasons   explained   below,   the  Commissioner      has
        decided that i i appropriate to impose a penalty i the light of the

        infringements she has identified.

7.2.    In deciding   to impose    a penalty,  and   calculating  the appropriate

        amount,   the Commissioner      has had regard to the matters      listed i
        Articles 83(1) and (2) GDPR     and has applied the five-step approach
        set out in her RAP.


The imposition      of a penalty i appropriate         in this case

7.3.    Both  the   RAP  and   Article 83   GDPR   provide   guidance   as to the
        circumstances i which i i appropriate to impose an administrative

        fine or penalty for breaches of the obligations imposed      by the GDPR.

7.4.    Article 83(2) GDPR    lists a number of factors that must be taken into

        account. These are each discussed i detail below i determining the
        appropriate level of fine, i accordance with the steps outlined i the
        RAP. The   points made    below are also relied upon      i justifying the

        Commissioner’s     decision  to impose    a penalty,  i the light of the
        findings of infringement set out above.


7.5.    The RAP provides guidance on when         the Commissioner     will deem  a
        penalty to be appropriate.°° In particular, the RAP explains that a
        penalty i more likely to be imposed      where, inter alia, (a) a number

        of individuals have   been   affected;  (b) there has been    a degree   of
        damage      or    harm     (which    may _   include’   distress    and/or

        embarrassment);      and   (c)  there   has   been   a failure   to   apply
        reasonable   measures    (including   relating to privacy   by design)   to
        mitigate any breach (or the possibility of it).


7.6.    As discussed in more detail below, each of those features i present
        i this case. Taking     together the findings    made    above  about   the

        nature of the infringements,     their likely impact,   and the fact that
        Marriott   failed   to   comply    with    its  GDPR_    obligations,   the
        Commissioner      considers   i   appropriate   to   apply   an  effective,

        dissuasive and proportionate      penalty, reflecting the seriousness    of
        the breaches which have occurred.






° Pages 24-25, see para 2.37 above.
                                                                                 51Calculation of the appropriate          penalty

        Step 1: an ‘initial element’ removing     any financial gain from the
        breach*!


7.7.    Marriott  did not gain    any   financial  benefit,  or avoid   any  losses,
        directly or indirectly as a result of the breach.       The Commissioner

        has not, therefore, added an initial element at this stage.

        Step 2: Adding    i an element to censure the breach based on its
        scale and severity, taking into account the considerations identified
        at sections 155(2)-(4) DPA


7.8.    Sections 155(2)-(4)     DPA   refer to and reproduce    the matters    listed
        i Articles 83(1) and 83(2).


        The   nature,    gravity    and    duration    of  the   failure   (Article
        83(2)(a))


7.9.    Nature    and gravity of the failures: The nature of the failures i
        of significant   concern.    As  set  out   above,   there   were   multiple

        measures    that Marriott could     have  put i place that would        have
        allowed   for the detection    of or mitigated   the Attack    insofar as i
        continued after 25 May 2018.°2 What the Attack shows i that during

        the relevant period Marriott was      processing   data on a system     that
        had  multiple security failings that were      exploited   by the Attacker

        and could have been exploited by others.

7.10.   In Marriott’s submissions     i has placed a great deal of emphasis       on

        other security    measures    i had   i place, criticising the NOI/draft
        decision for failing to look at the matter holistically.?? This criticism
        i misplaced.     The Commissioner      has carried out a holistic analysis

        of the relevant systems and security processes operated by Marriott.
        What   that analysis    showed    was   that the   measures    identified  i

        section  6 above    were   appropriate   to secure   the CDE.     Marriott’s
        implementation     (or perceived     implementation)     of other   security

        measures    was   not sufficient.   I was   appropriate    for there   to be



° Removing  any financial gain the data controllerhave obtainedfrom the infringementi
consistent with ensuring that the penalty i effective, proportionate and dissuasive (Article 83(1)),
and has regard to Article 83(2)(whichrefers to “financial benefits gaor losses avoided,
directly or indirectly, from the infringement. ”
° Marriott’s First Representations at para 3.2(a) have been considered and in section 6
above.
° Marriott’s Second Representations, para 2.2(c).
                                                                                  52        multiple   layers of security    i this case    (for the reasons     given  at

        paragraph 6.17 above).

7.11.   An   extremely    large  number    of individuals    were   affected   by the

        breach,   specifically, 339   million guest   records, of which     — for the
        purposes    of this    penalty   - 30.1    million®*  were    guest   records
        associated with EEA member        states. Marriott has explained that the

        total number     of affected   guests   i difficult to estimate    from   this
        figure as i may hold multiple records for an individual guest.°° Even

        taking into account that the true number of affected individuals may
        be 40%     lower than    initially estimated   by Marriott,°° this i still a

        significant number    of individuals.

7.12.   The mitigating steps taken by Marriott will have gone some             way to

        reassuring Marriott’s customers and therefore may have reduced or
        mitigated the distress that may otherwise have been caused             by the
        data breach. The assurances        given and the mitigating steps taken

        by Marriott are taken      into account   below.   I i nevertheless      likely
        that   some   of the    affected   individuals   will, depending     on  their

        circumstances, still have suffered anxiety and distress as a result of
        the disclosure of their personal information (including payment card

        information?”)     to  an   unknown      individual   or   individuals.   The
        Commissioner      has considered    i this regard the submissions       made
        by Marriott i i Representations.°° She notes the following points:


        a.   The   Commissioner      has   not  seen   any   evidence    of financial
              damage    and   i not required     to investigate    the existence    or
              otherwise of financial damage.°?      In calculating the appropriate

              level of penalty, the potential existence of such damage        has not
              been assumed     or taken into account.


        b.    I i possible that some       individuals may     have  cancelled   their
              payment     cards.  Contrary    to  Marriott’s   submissions,!°°     the
              Commissioner i not required to investigate or identify evidence

              of individuals actually cancelling their cards. In circumstances

° Marriott’s First Representations, page 65
° See Marriott’s Second Representations, paras 2.4-2.6.
% Ibid.
° Notwithstandingthe fact that there wano actual financial hato individuals, see Marriott’s
Second Representations para 2.7(a)(i).
° Marriott’s First Representatipara 3.1(d) and Marriott’s SecoRepresentationsparas 2.7-
2.8,
° A paint emphasisedi Marriott’s First Representatipara 3.2(d)(ii)(A); and Marriott’s Second
Representations, para 2.7(a)(i).
100 Marriott’s Second Representations, para 2.7(a)(iii).
                                                                                    53             where   a large number     of individuals have been      informed   that

             their   data,   including   some     credit  card   data    have   been
             compromised,      the Commissioner      considers   i likely that some
              individuals will have taken this step.


        c    The possibility that some     individuals may    have been prompted
             to cancel their payment cards i just one element of the overall

             assessment of whether the breaches of the GDPR           were likely to
             cause distress. The act of cancelling a card may        i and of itself
             only cause inconvenience. I i the reason why such action was

              necessary,   the  disclosure   of personal    information,    that  can
             cause distress amongst      some.


        d.   The   fact  that  the  Marriott  call  centre  received   57,000    calls
              between   30 November     2018 and 31 May 2019 (7,500 of these
              being   calls to  EU-based     call  centres)   i  indicative   of the

              potential  level of concern    amongst    affected  data subjects    on
              learning of the breach and subsequently.*%


        e.    Further,  even   i individuals   opted   not to cancel     their credit
             cards,    the   Commissioner      considers     i  likely   that   some
              individuals  will  have   experienced     distress   at  having   their

              personal data exposed      i a large-scale data breach.      Marriott’s
             suggestion that distress will only arise i cases where they are

             advised by their banks to cancel their payment cards!° ignores
             the fact that a      personal   data  (not just financial data)     i of
             significance to individuals, a significance which        i reflected i

             the legal protections afforded to that data under the GDPR.

7.13.   Duration:    Although    the Attack   itself spanned   a four-year    period,
        the infringements     that the Commissioner       relies on i this Notice

        occurred between     25 May 2018 (the date when the GDPR came into
        force) and 17 September       2018. The Commissioner       considers this to

        be a significant period of time over which         unauthorised    access to
        personal data went undetected       and/or unremedied.?°%







101 See further Step 5 below.
102 See Marriott’s SeconRepresentations,para 2.7(a)(iii), whii then contradictedby the
statement i para 2.7(a)(iv), which suggests that card cancellation i merely an “inconveniencan”
not, as suggestei sub-para (iii) a necessary componof a finding of distress.
103 Marriott’s First Representations at para 3.2(b) and Marriott’s Second Representations at para 2.3.
                                                                                   54        The   intentional    or negligent     character    of the   infringement

        (Article 83(2)(b))

7.14.   The Commissioner      has had regard to the guidelines provided by the

        Article 29 Working   Party i relation to assessing the character of the
        infringement i issue. I explains that:

            . In general, “intent” includes both knowledge and wilfulness

            in relation   to  the  characteristics   of an   offence,  whereas
            “unintentional” means     that there   was  no intention   to cause
            the infringement although the controller/processor breached
            the duty of care which is required in the law.


            It   is  generally     admitted     that   intentional    breaches,
            demonstrating    contempt    for the provisions    of the law, are
            more   severe  than unintentional ones and therefore may          be
            more   likely to warrant   the application of an administrative

            fine. The relevant conclusions about wilfulness or negligence
            will be drawn   on the basis of identifying objective elements
            of conduct gathered from the facts of the case...1°

7.15.   The  Commissioner      recognises   that the   infringement    was   not an

        intentional or deliberate act on the part of Marriott. This has been
        taken into account i assessing whether a fine i appropriate i this

        case.

7.16.   The   Commissioner      does,   however,    consider   that  Marriott   was

        negligent    (within  the   meaning     of  Article  83(2)(b)    GDPR)    i
        maintaining    systems    that  suffered   from   the  vulnerabilities  and

        shortcomings    identified i Section 6 above.!°

7.17.   In making this determination, the Commissioner places some weight
        on the relevant context: a company of the size and profile of Marriott

        i expected to be aware that i i likely to be targeted by attackers,
        sophisticated or otherwise.    Marriott must be aware that the nature

        of its business involves processing     large volumes    of personal data,
        including sensitive personal data. The risk of any compromise of that

        information    may    have   significant   consequences     for   Marriott’s
        customers and its own business.





104 Pp.11-12.
105 Marriott’s general claim at par2.9(b) of its SecoRepresentationrefers to its specific
explanations i section 3 of those representations, which have been i section 6 above.
                                                                                  557.18.   In view    of these   factors,  the   Commissioner:     (a)  would   expect

        Marriott   to have    taken   appropriate    steps  or a combination       of
        appropriate steps to secure the personal data of its customers;          and
        (b) considers    that  Marriott  failed  to comply    with   the  standards

        imposed    by   the  GDPR     i   failing to  do   so.  Beyond    this,  the
        Commissioner has not treated the nature of Marriott’s conduct under

        Article 83(2)(b)   as an aggravating     factor i assessing     whether    to
        impose   a penalty, or how     much   that penalty should     be. However,
        she i obliged to take into account the character of the infringement

        under Article 83(2)(b).     Thus,  she does    not consider that she has
        erred  i “applying     this factor”,  as Marriott   submitted    i  its First

        Representations.1%

7.19.   Marriott relied upon the Article 29 WP Guidelines to argue that the

        draft decision   failed to treat the fact that the breaches       were   not
        deliberate   as a positive   factor  i favour    i  assessing   whether    to
        impose   a fine.‘°” These Guidelines      state that intentional breaches

        are  more    likely to warrant     the  application   of a fine.    Marriott
        submitted    that i this i the    case,  the  absence    of intention  must

        weigh   in the controller’s favour.

7.20.   I i unclear what additional weight Marriott considers the absence
        of intention should attract i this case. The mere        recognition i the

        Article  29 WP    Guidelines   of the   obvious   point that a deliberate
        breach i more likely to result i certain consequences does not alter

        the fact that a penalty may      be imposed    for a breach of a different
        nature (and nor would      i be consistent with Article 83 GDPR      i fines

        only applied   to deliberate   conduct).   The  Commissioner     has taken
        into account the fact that the breaches were not deliberate as part
        of her overall assessment      (as Marriott recognises?°*).    However,    i

        circumstances    where,   as here, the breaches were       negligent within
        the meaning    of Article 83(2)(b), that fact must also be taken         into

        account when assessing whether to impose a fine and, i so, at what
        level.

7.21.   Marriott   also   criticised  the  Commissioner’s      analysis   as   being

        duplicative   because    she  had   regard   to, inter alia, the    scale  of
        Marriott’s  processing   operations    i assessing    whether    its actions



106 Marriott’s Representations, para 3.3.
107 Marriott’s Second Representations, para 2.9(a).
108 Ibid.
                                                                                  56        were  negligent   under   Article 83(2)(b),   as well  as i    assessing
        whether i complied with Articles 5 and 32 GDPR.!°?       While i i true

        that the  Commissioner     considered   some    of these  factors  when
        concluding  whether there was a breach of Articles 5 and 32, these

        factors are relevant i both contexts. The issue of whether a breach
        has arisen,  and  the nature    of Marriott’s responsibility for i    are
        clearly related issues.


       Any   action   taken  by the controller or processor        to mitigate
        the damage    suffered by data subjects (Article 83(2)(c))


7.22.  The Commissioner      has carefully considered    Marriott’s submissions
        to the effect that i could not discern from the draft decision how the
        mitigation action i took i response to the Attack has been taken

        into account  because   i was dealt with at this Step, rather than at
        Step 5.110


7.23.  The Commissioner      remains of the view that i makes      no difference
        to the ultimate decision on what, i any, penalty to impose whether
        the action taken   by the controller to mitigate the damage      i taken

        into account here, or under Step 5 i this Penalty Notice. However,
        she has decided    to consider this issue separately under Step      5 i

        this Penalty Notice.

        The  degree    of responsibility    of the controller    or processor
        (Article 83)(2)(d))


7.24.   As a controller,   Marriott  i responsible   under   the  GDPR   for the
        security of its systems   and the protection   of personal   data stored

        within those   systems.   I i required    by the GDPR     to implement
        security measures to reduce the vulnerability of those systems, and
        the  vulnerability  of the   personal   data  processed    within  those

        systems, to attack. While the entry of the Attacker into Starwood’s
        systems   pre-dates  Marriott’s acquisition of that company,     Marriott
        had  an  ongoing   duty  to ensure    the  safety  and  security  of the

        systems i was using to process personal data.

7.25.   As i clear from Section 6 above, there were multiple deficiencies i

        the security measures    i place i respect of the Starwood       system,
        which  Marriott continued to operate to process personal data after


109 Marriott’s Second Representations, para 2.9(c).
110 Marriott’s Second Representations, paras 1.9-1.10, and 1.34.
                                                                               5/        the  GDPR   came    into force.  As  a result,  the Attacker   was   able  to

        remain   present and    undetected    i the system     after 25 May    2018
        until the triggering of the Guardium     alert i September      2018.


7.26.   The  Commissioner     therefore  considers   that, for the duration   of the
        infringement    on  which   this penalty    i based,    Marriott  i wholly
        responsible   for the    breaches    of Articles   5(1)(f)  and   32  GDPR

        described above.

7.27.   In its Representations, Marriott highlighted the fact that the NOI did

        not   mention    that   Accenture     provided    i  with   third-party    IT
        services.'!! In response to the draft decision, Marriott explained that

        i its view, the fact that i engaged Accenture to assist i the security
        management      of the Starwood   network should be taken into account

        i assessing Marriott’s responsibility for the Attack.

7.28.   I i acknowledged       that Accenture     i an experienced      provider   of
        security   services   and   that  i provided     services   i   relation   to

        Marriott’s  security   environment.     However,    the  fact that    i was
        charged    with   implementing,     maintaining     or  managing     certain

        elements of the system does not reduce Marriott’s responsibility for
        the   breaches     of  the   GDPR     that   have    been    identified.   In

        circumstances    where    Marriott accepts   that i i the relevant data
        controller, and significant failures i its security measures have been
        identified, the engagement     of third parties cannot reduce its degree

        of responsibility.

7.29,   For the avoidance    of doubt,  however,   in taking a holistic view of the

        security  measures     put i   place,  account    has  been   taken  of, for
        example, the fact that Guardium was i place and certain alerts were

        applied under that system      (which Accenture monitored).

7.30.   Finally, Marriott  i correct to state    in its Representations     that the

        Article  29 WP    Guidelines   provide   that “industry    standards...  are
        important to take into account” when assessing compliance with the
        GDPR. The Commissioner        has taken into account Marriott’s detailed

        submissions on its compliance with PCI DSS standards, i particular
        i respect to the concerns which arose i respect of the application





111 Marriott’s First Representatpara 3.5, anMarriott’s SeconRepresentationsparas2.10-
2.11.
                                                                                  58        of  MFA   across   the   Starwood    network.!!2    However,    Marriott’s

        obligations under Article 5(1)(f) and Article 32 GDPR      go beyond the
        requirements    of the PCI DSS    and extend   to all personal  data, not

        just  cardholder    information    with  which    those   standards    are
        concerned.   The fact that Marriott may     have complied    with certain
        industry guidance focusing on specific      types of personal data does

        not obviate or reduce its responsibility for the security of all of the
        personal data i holds.


        Relevant previous infringements          (Article 83(2)(e))

7.31.   Marriott has no relevant previous infringements or failures to comply

        with past notices.

7.32.   Marriott claims that this fact should weigh      positively i its favour,

        rather  than   neutrally.1t? The   fact that  Marriott  has   no  relevant
        previous infringements i a matter that has been taken into account
        i the Commissioner’s decision whether to impose a penalty, and i

        her decision as to the appropriate level of that penalty.

        Degree    of cooperation      with   supervisory     authority    (Article

        83(2)(f))

7.33.   Marriott  has cooperated    fully with  her investigation   and   this has

        been taken into account.

        Categories of personal data affected (Article 83(2)(g))


7.34.   The Commissioner     has identified the relevant categories of personal
        data  in Section 4 above.   As noted  there, the data included    in some
        (but not all) cases unencrypted      passport details, details of travel,

        and  various   other   categories   of personal    information   including
        name,   gender,  date  of birth,  VIP status,  address,   phone  number,

        email address,   and credit card data.

        Manner    in which     the  infringement      became     known     to the

        Commissioner      (Article 83(2)(h))






112 See Marriott’s First Representations, para 3.6 and MarriRepresentationspara 2.12
and Section 3.
113 Marriott’s First Representations, para 3.7.
                                                                                597.35.   Marriott  notified the Commissioner     of the Attack   on 22  November
        2018 and i considered to have complied with its obligations i this

        respect.

        Conclusion at step 2

7.36.   Taking  into account:   (a) the matters set out i Sections 2-4 and 6

        above;  (b) the matters referred to in this section; and (c) the need
        to apply   an  effective,  proportionate   and   dissuasive   fine  i  the
        context   of a controller    of  Marriott’s   scale  and   turnover,   the

        Commissioner     considers  that a penalty     of £28   million would   be
        appropriate, before adjustment     i accordance with Steps 3-5 below

        and  the application   of the Commissioner’s      Covid-19    policy. This
        amount   i considered    appropriate to reflect the seriousness     of the
        breach and takes into account i particular the need for the penalty

        to be effective, proportionate and dissuasive.

        Step 3: Adding   i an element to reflect any aggravating factors
        (Article 83(2)(k))

7.37.   The amount of the penalty, as identified at Step 2, may be increased

        where   there  are ‘other’ aggravating     factors.'1+ In this case,   the
        Commissioner     does  not consider    there  to be any   other   relevant

        aggravating   factors. Thus,   no adjustment    i made    to the penalty
        level determined   at Step 2.

        Step 4: Adding   i an amount for a deterrent effect on others

7.38.   The Commissioner     i under an obligation to impose a penalty which

        i “dissuasive”. The need for the penalty to be dissuasive in relation
        to Marriott  itself i addressed    by the analysis    at Step   2. Having

        regard  to the amount     of the penalty   identified under   step 2, the
        Commissioner does not consider i necessary to increase the penalty
        further under Step 4 to dissuade others.!!°


7.39.   The Commissioner i not aware of widespread issues of poor practice
        that may    be particularly  deterred   by the   imposition   of a higher

        penalty.   Given  Marriott’s size and the scale of its operations,     and
        the fact that the Commissioner has decided to impose a penalty that
        already  takes  those   factors  into account   as part of the    need  to

        ensure  that any penalty i proportionate,       effective and dissuasive


114 Tn accordance with Article 83(2)(k) GDPR, section 155(3)(k) DPA. and page 11 of the RAP.
115 This makes redundant the points about this Step made by Marriott i i Representations.
                                                                                60        and  to  reflect the  seriousness    of the  breach,   the  Commissioner

        considers that no adjustment     i necessary under Step 4.

        Step 5: Reducing the amount       (save that i the initial element) to
        reflect any mitigating factors, including ability to pay (financial
        hardship) (Article 83(2)(k))


7.40.   As explained   above,   i principle, other relevant mitigating      factors
        could  be taken   into account   under   Step  2 or Step    5 of the RAP.
        Previously the Commissioner      considered   such matters i the round

        under Step 2 of the RAP, taking into account the factors in Article
        83 GDPR    and   section  155(3)  DPA   2018.   However,   i the light of

        Marriott’s representations for the purposes of this Penalty Notice the
        Commissioner     has considered the relevant mitigating factors under

        Step  5.

7.41.   Following  the guidance    set out at page   11 of the RAP,    and  having
        considered   Marriott’s Representations, the Commissioner       has taken

        into account the following mitigating factors:

        a.   Marriott had, prior to becoming     aware of the Attack, confirmed

             in 2018  a new   $19  million security investment    for 2019,  which
             raised  Marriott’s budgeted    spend   for that year on security to
             $49.5million.   Subsequent    investment    decisions  i 2019    have

             raised  Marriott’s  forecasted   IT security   budget   spend   on IT
             security for 2020 to $108.5million;


        b.   Marriott took   immediate    steps to mitigate    the effects of the
             Attack   and    protect   the   interests   of   data   subjects    by

             implementing    remedial measures;

        c    Marriott cooperated fully with the Commissioner's investigation,
             including responding    promptly to requests for information;


        d.   Widespread    reporting i the media of the Attack i likely to have
             increased   the awareness    of other data controllers of the risks

             posed by cyber-attacks and of the need to ensure that they take
             all appropriate measures to secure personal data; and

        e.   The  Attack   and  subsequent     regulatory  action  has   adversely

             affected  Marriott’s brand   and  reputation, which    will have  had
             some dissuasive effect on Marriott and other data controllers.



                                                                                 617.42.   More specifically, the Commissioner      has taken into account the fact
        that, upon   being alerted to the Attack,    Marriott acted   promptly to

        mitigate the risk of damage    suffered by data subjects, by way of the
        following technical remedial measures:


        a.   The deployment     of real-time monitoring     and forensic tools on
             70,000 devices on the Starwood       network;

        b.   Implementing     password   resets;


        c    Disabling known    compromised     accounts; and

        d.   Implementing     enhanced   detection tools.


7.43.   These measures should allow Marriott to prevent similar breaches i
        the  future,  including   by  identifying  any   additional  attackers   or
        malicious software being utilised on its servers.


7.44,   The Commissioner     has also taken into account the fact that Marriott
        also took steps to: (a) establish a notification and communication

        regime;    (b)  create   a  bespoke    incident   website   i   numerous
        languages;   (c) send 9.2 million notification emails to data subjects
        whose   country   of residence   was  recorded   i the Starwood      Guest

        Reservation Database as being i the EU); (d) establish a dedicated
        call centre;  (e) provide web    monitoring   to affected data subjects;

        (f) enhance its data subject rights programme;       (g) engage with card
        networks;    and    (h)  improve     its technical   and _ organisational
        measures    generally.1?©  I i also    noted   that  Marriott  informed   a

        number   of other regulatory and law enforcement agencies.

7.45.   I i acknowledged       that the steps   outlined   above   will have  gone
        some   way   to reassuring   Marriott’s customers,    and  therefore   may

        have   reduced   or mitigated    any  distress   caused   by the   breach.
        However, the fact that the Marriott call centre received 57,000 calls

        between 30 November       2018 and 31 May 2019 (7,500 of these being
        calls to EU-based   call centres)?!’ i indicative of the level of concern
        amongst    affected   data  subjects   on  learning   of the  breach   and

        subsequently.1!®


116 Marriott’s First Representations, para 3.4.
117 Marriott’s Second Representations, para 2.7(b)(ii).
118 Contrary to para 2.7(a)(b)(i) of MarriottRepresentations, i i not being suggested that
all of those who called Marriott’s call centre were suffering from distrbut i i likely

                                                                                 627.46.   Contrary to Marriott’s submissions,!+9 the fact that very few of these

        calls  were   escalated    internally  or  resulted   i   a complaint      i
        irrelevant. The information     provided   by Marriott suggests    that call
        handlers had FAQs available to advise customers on how to respond

        to the breach etc, which was presumably         intended to address most
        situations arising.!2° Thus,    the fact that only a certain number       of

        individuals had their calls escalated / resulted i a complaint does
        not provide   any   real indication  of the extent to which     individuals
        were distressed or harmed      by the loss of their data.


7.47.   Marriot also relied i this regard on a claim that the Commissioner’s
        findings of distress and harm     were materially undermined       because

        the centre only received     57,000   calls when   millions of individuals
        were affected by the breaches.!*! However, i circumstances where:

        (a)  Marriott   had   established    a dedicated     website   to   address
        concerns;   and   (b) individuals  may   have   sought  advice   from  third
        parties and/or acted on their own       knowledge    and experience,     the

        comparison     between     these   figures   does    not  undermine      the
        Commissioner’s findings. The number        of calls i sufficiently large to

        suggest that there were data subjects who were concerned.

7.48.   Thus, while the Commissioner        has taken   into account,   as outlined
        below,   the steps taken    by Marriott to mitigate     the impact    of its

        breaches   of the GDPR,    she  remains   of the view   that those  actions
        would not have    immediately neutralised all the concerns on the part

        of data subjects about their data being i the hands of criminals /
        outside of Marriott’s control.


7.49.   Having    regard   to  the  mitigating    factors  set  out   above,   i i
        appropriate to reduce the £28 million penalty by 20%,         i.e. to £22.4
        million.


7.50.   As a result of the Covid-19 pandemic,       Marriott has also argued that
        any penalty should     be reduced   because of the financial hardship      i

        would cause.

7.51.   The  Commissioner     has considered     Marriott’s representations,    and
        the evidence   i has provided. Although the Covid-19         pandemic   has


that - as stated here - the majority of callers were at least sufficiently concerned to make the call,
which i inconsistent with Marriott’s position that no or only trivial harm at all would have arisen.
119 Marriott’s Second Representations, para 2.7(b)(iii).
120 Marriott’s Second Representations, para 2.7(b)(iii).
121 Marriott’s Second Representations, para 2.7(b)(iv).
                                                                                  63        had  a significant impact   on Marriott’s revenues,     Marriott’s overall

        financial position i such that the Commissioner        does not consider
        that the imposition    of a penalty   i the range    being  proposed   will
        cause financial hardship, or that Marriott will be unable to pay such

        a penalty.

7.52.   However,   the Commissioner      has published   guidance   entitled “The

        ICO’s  regulatory   approach    during  the  Coronavirus    public  health
        emergency”.'?2    That  guidance    indicates  that “As set out in the
        Regulatory Action Policy, before issuing fines we take into account

        the economic    impact   and affordability.  In current circumstances,
        this is likely to mean the level of fines reduces.” While   the proposed

        penalty   will  not   cause    financial  hardship    for  Marriott,   the
        Commissioner     considers  i appropriate   to reduce   the penalty that

        would  otherwise   have  been   imposed,   i light of the current public
        health  emergency    and  associated   economic   consequences.    This i
        addressed   below, separately from Step 5.


7.53.   The Commissioner      has carefully considered    Marriott’s submissions
        that there   are other additional    mitigating  factors that should    be

        taken into account i this case.!23 However, none of the points raised
        justify a further  reduction   of the appropriate    penalty  beyond   the
        discount set out above. In particular:


             The Commissioner      does not consider i appropriate to further
             reduce the penalty by reference to costs to Marriott of taking

             measures    to rectify or mitigate the impact of its infringement,
             including the cost establishing a bespoke      website, call centre,

             web   monitoring,   the enhancement      of Marriott’s data   subject
             rights programme,     and any other customer-facing      remediation
             activities. The fact that Marriott was required to expend     a large

             amount   - on Marriott’s assessment     i excess of $50 million+
             - i    customer-facing    remediation    activities  i  not   directly

             relevant to the amount of any penalty. The fact that mitigating
             measures were taken, i accordance with Marriott’s obligations
             as a controller, has already been taken into account.






122 Version 2.1, 13 July 2020.
123 Marriott’s First Representations, para 3.13(c).
124 Marriott’s First Representations, paras 3.4(a) and 3.13(c)(vi).
                                                                                64             Marriott’s   preparations    for  the   introduction   of  GDPR     are
             noted.!2°  However,    these do not address      the Commissioner’s

             conclusions    on  Marriott’s   failure to   implement    appropriate
             security measures     i relation to the systems      i acquired   from

             Starwood.

             The   Commissioner     has   recognised   that  the Attack    involved
             persistent criminal activity.17© But this does      not alter the fact

             that the security    of Marriott’s   network   was   inadequate    i a
             number    of respects, and that those failings could and should

             have   been   addressed     on  a prospective     basis  through    the
             implementation      of  appropriate    measures.     I   i   Marriott’s
             breaches   of Articles 5(1)(f) and 32 GDPR      for which   i i being

             penalised, not the actions of third parties.

             The   security  measures    that were   deployed    on the Starwood

             security environment     and on the Starwood      Guest   Reservation
             Database     are  noted.!?”   However,     the  existence    of  these
             measures    do not detract from the Commissioner’s        conclusions

             on   Marriott’s   failure   to   implement     appropriate    security
             measures    (see section    6). That  Marriott took some      steps to

             secure the Starwood system i not considered to be a mitigating
             factor i the circumstances of an infringement of this scale and
             severity.


7.54.   Accordingly,    having   carefully  considered    the  mitigating   factors
        raised  by Marriott,   which   are relevant   to the assessment      of the
        appropriate   level of any    penalty,  the overall   penalty  payable    by

        Marriott after Step 5 i £22.4 million.

        Application of Covid-19    Policy

7.55.   As described    above,  having   regard  to the impact    of the Covid-19

        pandemic    (on Marriott and more      generally), and consistently with
        the  Commissioner’s      published   guidance,    a further   reduction   i
        appropriate    and   proportionate.    The   final  penalty   payable   will

        therefore be reduced to £18.4 million.





125 As relied upon at paras 3.13(c)(iii) of Marriott’s First Representations.
126 Marriott’s First Representations, para 3.13(c)(iv).
127 Marriott’s First Representations, para 3.13(c)(i)-(ii).
                                                                                  65        Application of the fining tier(s) (Articles 83(4) and (5) GDPR)

7.56.   The infringement of Article 5(1)(f) GDPR falls within Article 83(5)(a)

        GDPR,    whereas     Article  32   falls within   Article   83(4)(a).   The
        appropriate tier i therefore that imposed      by Article 83(5)(a) as this

        i the gravest breach i issue i this case.

7.57.   In any event, for the year ended       31 December      2017   Marriott has

        confirmed   that its relevant    worldwide   annual   turnover   i $4.997
        billion. The  penalty   the Commissioner      has decided    to impose   on
        Marriott i the sum     of £18.4 million. This i considerably less than

        4%, indeed considerably less than 1%, of Marriott’s total worldwide
        annual   turnover,  and   accordingly   well within the cap imposed       by

        Article 83(5) GDPR.

Marriott’s other representations           on the decision to impose         a

penalty    and the appropriate        Penalty amount

7.58.   Marriott’s   Representations      contained    detailed   submissions     i
        response to: (a) the Commissioner’s decision to impose a penalty at

        all; and (b) the proposed    penalty amount, as indicated i the Notice
        of  Intent.   The   Commissioner      has   carefully   considered    those

        submissions and, to the extent they have not been addressed above,
        responds to them     below.


7.59.   In summary,    Marriott submitted as follows:

        a.   First, the Commissioner misapplied Article 83(2) i deciding to
             impose    a fine  and   in determining     the  appropriate   level  of

             penalty. A proper application of that Article should result i no
             fine being imposed     at all or, i the alternative, i should result

             i the imposition of only a low level of penalty;!2°

        b.   Second,    the Commissioner      unlawfully applied an unpublished
             internal   document,     entitled  “Draft   Internal   Procedure    for

             Setting   and    Issuing   Monetary     Penalties”,   i   setting   the
             proposed   penalty on Marriott which was included i the NOI.+29

             However,    setting a proposed    penalty amount without the Draft



128 Marriott’s First Representations, Executive para 8 and Section 3; and Marriott’s Second
Representations, Section 2.
129 Marriott’s First RepresentatExecutive Summary,para 9(a) and paras 4.2-4.12, 4.14(e),
4.19,
                                                                                  66              Internal Procedure (or similar), as the Commissioner          did i the

              draft decision, also offends the principle of legal certainty.1*°

        c    Third, the Commissioner        erred   by relying on turnover as the

              sole metric i determining the level of fine proposed i the NOI,
              and i continuing to treat turnover the most important factor i

              its quantification analysis i the draft decision;+3!

        d.    Fourth,   the Commissioner       has applied   the wrong    fining Tier

              under Article 83 GDPR     i calculating the proposed fine;+%

        e.    Fifth, the Commissioner      erred  in the NOI   by applying   an uplift

              to ensure an appropriate deterrent effect; 17?

        f     Sixth,   the    Commissioner       breached     Marriott’s   legitimate

              expectation that she would operate her fining powers under the
              GDPR   i accordance with past precedents, i.e. decisions made,

              under the DPA 1998 and/or only applying incremental increases
              to the fines that would have been imposed         under the 1998 Act

              (which was subject to a £500,000       maximum     fine limit).1*4 This
              same   failure, which   Marriott described    as a failure to comply

              with the “Precedents-Based Approach”,          i also said to amount
              to a breach of the principle of legal certainty.1*° In its Second

              Representations,     i particular,   Marriott   contends   that  i the
              absence    of any   new    guidance    providing   clear  and   specific

              quantification   methodology     determining    how   fines are to be
              calculated,   any  decision   to issue   a fine would      breach   that

              principle.17©  In this regard Marriott also relies on a comparison
              with a case    decided   by the Financial    Conduct    Authority   (the

             “FCA”)    i respect of Tesco Bank.'?” I also relies on an alleged
              inconsistency   between    the penalty    proposed   i this case and
              those   imposed      through    other    decisions    issued    by   the




130 Marriott’s Second Representations, Executive summary, para 1 and paras 1.1-1.5.
131 Marriott’s First RepresentatiExecutive Summary,  para 9(b), and paras 4.14-4.15and
Marriott’s SeconRepresentations, paras 1.35-1.38.
132 Marriott’s First Representations, Executive Summary, para 9(b), and paras 4.16-4.17.
133 Marriott’s First Representations, paras 4.24-4.30
134 Marriott’s First Representations, Executive Summary, para 9(c), and paras 4.36-4.41; Marriott’s
135 Marriott’s First RepresentatiExecutive Summary,d para 9(c), and paras 4.50-4.73and
Marriott’s SeconRepresentationsExecutive Summary, para 1, and para 1.1.
136 Marriott’s Second Representations, Executive Summary, para 1 and paras 1.6-1.11.
137 Marriott’s First Representations, paras 4.3and Marriott’s SeconRepresentationsparas
1.26-1.27

                                                                                    67             Commissioner        and      by    other     European      supervisory

             authorities.+#8

        g.   Seventh,     the Commissioner       has  acted   contrary  to the RAP

              because she has failed to calculate the penalty proposed         i the
              NOI and the draft decision i accordance with its terms;+79 and

        h.    Eighth, the Commissioner proposed a penalty i the NOI            which

              i disproportionate on its face NOI, and the revised penalty set
             out i the draft decision remains disproportionate.14°

        (1) Application of Article 83(2)


7.60.   The Commissioner       has described    at paragraphs    7.3-7.53   how   the
        factors listed i Article 83(2) apply to the facts of this case. In its

        Representations,     Marriott criticised the Commissioner’s       findings i
        this regard. Where     necessary those criticisms have been addressed

        at each step of the analysis set out above and/or i Section 6 above.

        (2) Draft Internal Procedure

7.61.   Prior  to  issuing   the   NOI   i  this  case,   the   Commissioner      had
        developed a Draft Internal Procedure for calculating proposed fines,

        as a supplement to the RAP. Its purpose was to provide an indicative
        guide,   by reference    to the turnover     of the controller,   as to the

        appropriate   penalty. As the GDPR       i a new    regime, this additional
        tool was   intended to assist the decision-makers        i applying Article

        83 GDPR    and the RAP to the facts of a particular case.

7.62.   Marriott    made     detailed    submissions     on    this  issue.‘4+   The

        Commissioner     has considered those submissions i deciding how to
        approach    the calculation of the penalty to be imposed         i the draft
        decision, and ultimately i this Notice.


7.63.   The Commissioner      remains of the view that the controller’s turnover
        i a relevant consideration      i determining     the appropriate    level of

        penalty   (see below),    but she has decided      that the Draft Internal
        Procedure should not be used. Therefore, i deciding the appropriate


138 Marriott’s Second Representations, Executive Summary, para paras 1.12-1.19.
139 Marriott’First Representationsparas4.42-4.49; and Marriott’s SecondRepresentations,
Executive Summary,para 2, and paras 1.32-1.34.
140 Marriott’s First RepresentatiExecutive Summary, para 9(d), and paras 4.74-4.77,and
Executive Summary,para 1, and paras 1.39-1.41 of Marriott’s SRepresentations.
141 See paras 4.2-4.12 of Marriott’s First Representations and parag1.2-1.5 of Marriott’s
Second Representations i particular.
                                                                                   68        penalty i this case the Commissioner         has not relied on the Draft
        Internal Procedure    (she did not rely upon i for the purposes of her

        draft decision, and the same approach was adopted i preparing this
        Penalty  Notice).  She   has instead   relied only on Article 83 GDPR,

        section 155 DPA and the RAP. The approach taken to the calculation
        of the penalty for the purposes of this Notice i set out above.

7.64.   Marriott i wrong to assert that, but for its pressing for disclosure i

        correspondence,     the Commissioner      would   not have   disclosed   the
        draft guidance   document.!42 The     policy was   provided   on 2 August

        2019   i response to a request made       i a letter from Marriott dated
        24 July 2019. The NOI set out how the penalty was arrived at. The
        Commissioner     also   provided   further  information   about   how    the

        penalty   was    calculated   i   her   letter  of  17   July  2019.    The
        Commissioner i obliged to consult the controller on the NOI and she

        did so. Marriott took the opportunity to make       detailed submissions,
        and    the   Commissioner       has   carefully   considered     all  those
        submissions, and acted upon them to address the concerns raised.


7.65.   Marriott’s   First  Representations     also   criticised  the  use    of  a
        percentage range as part of its process for calculating the proposed

        penalty (applying    the Draft Internal Procedure)     and/or the way     i
        which the Commissioner       applied the turnover bands at the NOI.147
        As this approach    has not been adopted      i this Notice, nor has the

        Draft Internal Procedure     been applied, the Commissioner       does not
        respond to the individual points made       by Marriot on the application
        of the Draft Internal Procedure further here.


7.66.   In  its  Second    Representations,     Marriott   states   that  whilst   i
        welcomes    the fact that the Draft Internal      Procedure   i no longer

        relied upon by the Commissioner,       (a) the Commissioner cannot rely
        upon  the £99.2m     figure proposed    in the NOI as a reference      point
        when    assessing   the   legality  or  proportionality   of the    present

        proposed    penalty   figure;!**  (b)  the   RAP   cannot   constitute   an
        adequate    basis for the calculation    of a penalty    i circumstances

        where the Commissioner       had previously devised the Draft Internal
        Procedure;!*° and (c) i the absence of the Draft Internal Procedure,
        there   i   a  lack  of   clarity  governing    penalty   calculation   and


142 Marriott’s Representations, paras 4.2 and 4.8.
143 Marriott’s Representations, paras 4.19-4.23.
144 Marriott’s Second Representations, para 1.3.
145 Marriott’s Second Representations, para 1.4.
                                                                                  69        undermines   legal certainty.!*© These points are not accepted for the
        following reasons.


7.67.   First, the Commissioner   does  not seek to use the figure of £99.2m,
        as proposed  i the NOI, as a “reference point” for the penalty set i

        the draft decision, or the present penalty. Rather, the Commissioner
        carried out a fresh calculation exercise having regard to the factors
        listed under Article 83 of the GDPR     and the RAP. See further para

        7.128  below.

7.68.   Second,  the Draft Internal   Procedure   was  not developed    to ‘cure’

        any gap i legal certainty left by the RAP. I was intended to be a
        helpful  supplement     to  the   RAP   for  internal  decision-making
        purposes. In deciding what level of penalty may (at the consultation

        stage) or i appropriate    i this case, the Commissioner     has always
        applied the approach set out i the RAP, and considered the factors

        under Article 83 GDPR.     The fact that a document     was   created  to
        provide supplemental    detail to the RAP does not render the RAP so
        deficient so as to prevent a penalty being calculated       i this case.

        Marriott’s submissions    on  legal certainty  are addressed    i more
        detail below.

        (3) The Commissioner’s    reliance on Marriott’s turnover

7.69.
        Marriott advanced    a number    of criticisms  of the Commissioner’s
        reliance on turnover i calculating her proposed      penalty in its First
        and Second Representations (see, for example, para 4.14 of its First

        Representations).

7.70.   First, Marriott submitted that the only metric the Commissioner used
        to calculate the penalty proposed     i the NOI was turnover. This i

        incorrect. As i clear from the NOI itself, while turnover was    used as
        a starting point in seeking to assess the appropriate penalty, a range

        of other relevant factors were considered i accordance with the RAP
        and the GDPR.    In any event, the turnover-bandings      set out i the
        Draft Internal Procedure has not been used i preparing this Notice.


7.71.   Second,  Marriott submitted   that turnover cannot be regarded       as a
        core metric  i a case such     as this where   the wrongdoer     has not

        profited from  the breach.   Marriot claimed   that there   i no logical
        relationship between   the breach and the controller’s turnover. The


146 Marriott’s Second Representations, para 1.5.
                                                                               70        Commissioner’s      approach,    Marriott   said,   simply   punishes    a
        controller  for being   a large  undertaking.    Marriott  compares    the

        penalty   proposed    i  this  case  to the    Commissioner’s     decision
        regarding   Doorstep   Dispensaree    Ltd, dated   20   December    2019,

        suggesting   that   this shows    that  the  Commissioner      i  treating
        turnover, unjustifiably, as the most important factor.**’

7.7/2.  The Commissioner     does not accept these arguments.      She considers

        turnover   to   be  a   relevant   consideration    i   determining    the
        appropriate   level of penalty i this case (as well as i other cases

        not involving a controller profiting from a breach), for the following
        reasons:

        a.   A turnover-based     approach    i consistent   with  the approach
             taken to penalties i the GDPR.       The Data   Protection  Directive

             did  not   prescribe   the  level  of  fines   that  Member     State
             authorities should impose for data breaches. The GDPR departs
             from  that approach.    In doing   so, i expresses    the maximum

             penalty   in terms   of a percentage     of turnover.   Turnover    i
             therefore a relevant factor i determining the appropriate level
             of penalty to be imposed. This i also reflected i the Recitals,

             which make clear that the economic position of the controller i
             relevant even where the controller i a private person and not
             an undertaking:    “  Where administrative fines are imposed on
             persons that are not an undertaking, the supervisory authority

             should   take  account   of the general    level of income     in the
             Member    State as well as the economic situation of the person
             in considering the appropriate amount of the fine.”


        b.   Further,  and   i any    event,  the  Commissioner     i obliged   to
             ensure that any penalties imposed are “effective, proportionate

             and dissuasive”.   Having   regard to a data controller’s turnover
             complies   with this principle  by ensuring   that the level of any
             penalty  i not only proportionate,      but i also likely to be an
             effective and dissuasive deterrent for the undertaking on which

             i i imposed, and other equivalent controllers. I i self-evident
             that  imposing   the  same    penalty  on  an   undertaking   with  a
             turnover of billions of pounds as would     be imposed    on a small

             or medium    sized business would not be effective, proportionate
             or dissuasive.   Comparable    regulatory   regimes  that share the
             GDPR’s   emphasis    on deterrence,    such  as under    competition



147 Marriott’s Second Representations, paras 1.36-1.37.
                                                                                71             law, also take turnover into account i i some form in setting
             penalties.


        c     Marriott’s claim that the introduction of the maximum        amount
             safeguard   caps i Articles 83(4)     and  (5) does   not mean    that

             turnover can be treated as a relevant metric i incorrect, for the
             reasons articulated i points (a) and (b) above.!*° In particular,
             Marriott’s  claim  that treating   turnover   as a relevant    metric

             “outside   of disgorgement      of profits   cases   is illogical and
             perverse”,   does   not withstand    scrutiny. I i plain from      the
             relevant   provisions  of the GDPR,     read  as a whole,    that the
             economic    position  of a controller    i one    relevant  factor  i

             determining what penalty i appropriate on the particular facts
             of any case. The GDPR     does not limit the relevance of turnover
             to cases involving disgorgement.


        d.   As to the    decision  i Doorstep,     the difference   between    the
             turnover of that controller and     Marriott i obviously     relevant.

             However,    each   case   i  considered    on   its individual  facts.
             Marriott’s attempts to compare the number of records involved,
             and then scale up the appropriate       level of fine (60 times the

             number of records, results i a maximum         60 times higher level
             of fine),  are   misconceived.    See  further   paras   7.116-7.119
             below.

7.73.   Third,  Marriott  submitted    that  any  penalty   regime   engages    the

        fundamental    rights of controllers, including their fundamental     right
        to property   as provided    for under   Article 1 of Protocol    1 of the

        European    Convention   on  Human    rights,  and  Article 17  of the   EU
        Charter   of Fundamental     Rights.149  The  Commissioner      recognises
        that i imposing a penalty on a controller, she must comply with any

        relevant fundamental     rights that are engaged,     including under the
        ECHR or the EU Charter. However,       i i not accepted that taking into

        account   a controller’s   turnover    i  determining    the   appropriate
        penalty i incompatible with those rights because         i i arbitrary or
        results  i grossly   disproportionate    levels of penalty    (as Marriott

        contended    at para  4.14(c)   of its First Representations).     I i an
        approach that complies with the regime established by the GDPR.





148 Marriott’s First Representations, para 4.14(d).
149 Marriott’s First Representations, para 4.14(c).
                                                                                 127.74.   Fourth,   Marriott   contended     that   the   turnover    approach _ i

        inconsistent with the RAP.!°° This i incorrect.

7.75.   As explained   above, the calculation of the proposed      penalty i the
        NOI was   not exclusively based     on turnover,   contrary to Marriott’s

        claim. I took account of the various factors discussed        i the RAP.
        This Notice addresses each step of the process of the RAP in turn to

        make   even clearer that the penalty has been set i accordance with
        its terms. Turnover   i relevant to establishing whether a penalty i
        appropriate,  proportionate, effective and dissuasive i applying the

        steps set out in the RAP, as explained above.

7.76.   Moreover,   Marriott’s reliance in this regard  on reference   in the RAP

        to  circumstances    i   which   the  Commissioner      will convene    an
        advisory panel i misplaced.1>! The RAP describes “very significant”

        penalties as those “expected to be those over the threshold of 1M”
        i that particular context, i.e. the context i which the Commissioner
        may  convene   an advisory panel. This was not intended to be - and

        i any event cannot objectively be read as giving - an indication to
        controllers of the likely penalty they may face i the event of a data

        breach,  particularly in light of the provisions   of GDPR.   The  section
        of the RAP setting out how penalties will be calculated does not refer
        to the concept of “very significant” penalties at all.


7.77.   Consequently,   the RAP’s discussion of when     an advisory panel may
        be convened    i no basis for saying that turnover      i not a relevant

        factor i determining    penalty. Marriott was also therefore wrong      to
        claim in its Representations   that: (a) the £1million figure referred to

        i the discussion    of when    an advisory   panel  may   be appropriate
        should be the starting point for calculating fines i the most serious
        and  significant  cases   before  the   Commissioner;1>*    and   (b)  the

        Commissioner    must justify imposing    any fine above that threshold
        figure. This i a misreading of the RAP, see further below.


7.78.   Firth, Marriott contended    that what the Commissioner      should  have
        done  i quantifying    the appropriate   penalty was to “(a) start with
        what an infringement of this nature is objectively worth in penalty

        terms having regard to its nature, gravity and duration, irrespective
        of the financial stature of the wrongdoer;    then (b) add or take away


150 Marriott’s First Representations, para 4.14(f).
151 Page 26 of the RAP. See also para 4.46 of Marriott’s First Representations.
152 Marriott’s First Representations, para 4.46.
                                                                                13        amounts    to reflect respectively aggravating and mitigating factors;

        before moving at the final stage of the analysis to (c) the question
        of whether,   in view of all the circumstances,     some   increase  in the
        penalty is required to ensure a deterrent effect.”'>?


7.79.   The Commissioner’s     approach    i set out above. She has considered
        each step of the RAP, and a of the factors listed i Article 83 GDPR,

        i order to arrive at the overall appropriate penalty. Given that the
        financial  stature  of the wrongdoer      would   need   to be taken    into
        account at least i considering whether an increase i fine would be

        necessary to secure a deterrent effect, i i not clear that adopting
        the  alternative   structure  proposed    by Marriott   would   make    any

        material difference to the outcome.

        (4) The appropriate    tier

7.80.   In response to the NOI, Marriott submitted        that the Commissioner

        had applied the wrong fining tier. I was said that the Commissioner
        incorrectly   categorised    the   breaches     i   issue   as   a  Tier   2
        infringement, allowing for a maximum       fine of 4% of turnover.!>4 This

        submission was based, i summary,          on the following points:

        a.   Article 5(1)(f)   i simply   a shorter,   summary     version,  of the

             more   detailed  and  specific obligation   i Article 32. Article 32
             GDPR    therefore amounts     to the /ex specialis of Article 5(1)(f)
             and should therefore take precedence.


        b.   The maximum      fine should  be 2%   in this case because:

             i    Any    ambiguity    in the   wording    of a   provision   of law
                   imposing a civil penalty should be resolved i favour of the

                   controller.


             i    |The wording of Article 83(4) makes clear that the intention
                  was   to impose    this lower maximum      cap for breaches     of
                  Article 32, which i the /ex specialis.

7.81.   The   Commissioner     does   not  accept   these   submissions,    for the

        following  reasons.





153 Marriott’s First Representations, para 4.15.
154 Marriott’s First Representations, paras 4.16-4.17.
                                                                                  747.82.   First, the GDPR addresses expressly what the appropriate maximum

        fine should   be when    a controller breaches     the “basic principles of
        processing” under    Article 5 GDPR. Article 5(1)(f), as one of the basic
        principles of processing, cannot be dismissed as simply a summary

        of a later new provision included i the GDPR. The EU legislature has
        made   i clear that a higher penalty i appropriate where a controller

        i found    to have   breached    the basic principles of processing      that
        underpin    the  regime.   Contrary   to Marriott’s   submissions,    Article
        83(5)(a)   provides   i clear i explicit and unambiguous         terms that

        4%   i the appropriate cap for breaches of Article 5, including Article
        5(1)(f).


7.83.   Second,    the   GDPR    also   recognises    that   the  same     or  linked
        processing    operations   may   give   rise to infringements     of several

        provisions of that Regulation. I addresses this by making clear that
        the total amount    of any penalty i to be the subject of the amount
        specified for the gravest infringement (see Article 83(3)).


7.84.   Third, the principle of /ex specialis means      that “where a legal issue
        falls within the ambit of a provision framed in general terms, but is

        also   specifically  addressed     by  another    provision,    the  specific
        provision   overrides   the  more   general   one.”!>>  The   Commissioner
        does   not accept that the application      of the /ex specialis    principle

        precludes   the Commissioner       from   treating  this case   as a Tier 2
        infringement.


7.85.   Article 5(1)(f) and Article 32 are evidently distinct provisions of the
        GDPR,   notwithstanding the degree of overlap. Article 32 applies to

        processors,    whilst   Article  5 does     not.   Contrary    to  Marriott’s
        submission,    there   i   no   basis  upon    which   to  give   Article  32
        precedence    over Article 5(1)(f). They can be applied to controllers

        at  the   same     time:   Article  32   does    not   override   the   basic
        requirements     laid down   in Article  5(1)(f),  read  with  Article  5(2),

        which establish the responsibility of the controller for demonstrating
        compliance    with   the  security  obligation   and   any  breach    of that
        principle.


7.86.   Further, and in any event, the provisions in Article 83(4)        and Article
        83(5)   are   distinct  provisions   which   make    explicit  provision   for



155 R (Hallam) v Secretary of State for Justice [202 at [144]. See also Case T-60/06 RENV
I Italy v Commissio(2016), at [81].
                                                                                   15        different fining tiers to apply to breaches of Articles 5 and 32 GDPR.
        I i clear that any infringement of Article 32 falls within the scope

        of Article 83(4) whilst an infringement of Article 5(1)(f) falls within
        the scope   of Article 83(5). Article 83(4)   i not more     specific than

        Article 83(5). I i incapable of overriding or taking precedence over
        i   Rather,  any   issue  as to which    maximum      penalty   applies  i
        resolved  by the application    of Article 83(3)  which  states i terms

        that i these circumstances “the total amount of the administrative
        fine  shall  not  exceed    the   amount    specified   for  the  gravest

        infringement.”   The   legislation itself provides   the  mechanism     for
        addressing   circumstances    i which   processing   engages   more   than
        one obligation.


7.87.   The Commissioner notes that her interpretation of Articles 83(4)-(5)
        i supported    by the Article 29 Working      Party’s Guidelines   on the

        application  and  setting  of administrative  fines for the purposes     of
        the GDPR,   which  states:

          Specific infringements    are not given    a specific price tag in the

          Regulation, only a cap (maximum       amount).   This can be indicative
          of a relative lower degree     of gravity for a breach    of obligations

          listed in article 83(4),   compared     with  those  set out in article
          83(5).  The effective, proportionate     and dissuasive reaction to a
          breach of article 83(5) will however depend on the circumstances

          of the case...

          The   occurrence    of several   different  infringements    committed

          together in any particular single case means      that the supervisory
          authority is able to apply the administrative fines at a level which
          is effective, proportionate   and dissuasive    within the limit of the

          gravest infringement.     Therefore,  if an infringement    of article 8
          and article 12 has been discovered, then the supervisory authority
          may be able to apply the corrective measures as set out in article

          83(5)    which   correspond     to  the   category    of   the  gravest
          infringement, namely article 12....1°°


7.88.   Fourth, i any event, Marriott’s main objection to the use of the 4%
        maximum     penalty appears to be its impact on the turnover-bands
        applied  under  the Draft Internal    Procedure,   which  was   applied  i

        calculating the proposed   fine included i the Notice of Intent. As this


156 Pages 9-10.
                                                                                16        approach    has  not been   adopted    i determining     the final level of
        penalty to be imposed      by this Notice, the same      concerns    do not

        arise. I i noted that the final penalty imposed      i well below the 2%
        cap, and so the application of that cap i reaching the final decision,

        as opposed   to a 4%   cap, would have made      no difference.

7.89.   Marriott   also   asserted    i    a   single   paragraph    of   its  First
        Representations that the Commissioner’s approach to quantification

        i “wholly arbitrary”.'°’ This i not accepted, either as a criticism of
        the NOI   or this Notice.    I appears    that this argument     rested  on

        Marriott’s contention    that there are no clear and      precise   rules i
        place governing the setting of the penalty by the Commissioner. This
        claim i addressed     below.

        (5) An uplift to ensure a deterrent effect


7.90.   Marriott  claimed    that  the  proposal   i   the  NOI   to increase    the
        proposed   penalty for the infringement      to 2.5%    to ensure    that i

        would    have   a   sufficient  deterrent    effect  was    arbitrary   and
        unlawful.1°° This i not accepted.      The   Commissioner     i obliged   to
        consider whether such an uplift should be made         under the RAP and

        Article 83 GDPR.

7.91.   Marriott's  criticisms of the  NOI   in this regard  relied  heavily  on  its

        criticisms of the previous use made of the Draft Internal Procedure’s
        turnover-based    approach    i setting   the proposed     penalty  at that
        stage.'°°? These  points have been addressed       above.   I i   however,

        important to note that para 61(d) of the NOI explained that i the
        light of the   scale  and   severity  of the   infringement    and  factors
        discussed i para 61(a)-(c), a penalty of between        1.5 and 2% would

        be  appropriate    and   proportionate.   Para   61(f)  then   went   on  to
        consider what an appropriate uplift would       be to ensure a deterrent

        effect,  which   was   a separate     issue   that  warranted    individual
        consideration   at a later stage of the analysis. These       are separate
        steps under the RAP (see Section 2 above). I i therefore incorrect

        to assert, as Marriot did, that any uplift from the judged          starting
        point  means    that  the  Commissioner:      “is knowingly    imposing    a

        disproportionate penalty sum. °°


157 Marriott’s First Representations, para 4.18.
158 Marriott’s First Representations, para 4.24.
159 Marriott’s First Representations, paras 4.25-4.30.
160 Marriott’s First Representations, para 4.25.
                                                                                  ae7.92.   In any event,   as set out above   under   Step 4, no additional   amount
        has been   added   in this case for deterrent effect.

        (6) Legitimate Expectation and Legal Certainty


        The alleged legitimate expectation

7.93.   In  response   to the    NOI   and  draft  decision,   Marriott  relied  on

        selective quotes from public statements made        by the Commissioner
        or her office about the new GDPR     regime to contend that fines under
        the GDPR    should   be set i accordance      with  past precedents,    i.e.

        decisions  made    under   the DPA   1998.'6!   What   Marriott  seeks,   i
        effect, i for the Commissioner      unilaterally to impose   the previous

        domestic cap and approach to fines which applied i the UK prior to
        the harmonised    regime under the GDPR.

7.94.   Plainly i i not open to the Commissioner,        as a matter of domestic

        or EU law, to adopt unilaterally an approach       that would   undermine
        the object and purpose of the new EU regime.


7.95.   The   GDPR,   and   consequently     the  DPA,   represent   a significant
        departure from the regime under DPA 1998 and the 1995 Directive.
        The GDPR    was expressly intended      to harmonise    the rights of, and

        protections   afforded   to, data   subjects  across   the  EU.  I differs
        markedly    from   the   1995   Directive,  most    obviously   i   that  i
        introduces   significantly higher   and  more   effective  penalties,  with

        maximum     penalties defined expressly by reference to turnover. The
        GDPR   also imposes    new   obligations  on controllers,   including  new

        organisational   requirements     such  as the    designation   of a data
        protection   officer   and   new    provisions   on   the   lawfulness   of
        processing. The GDPR      and the DPA    have significantly changed     the

        legal landscape i data protection and enforcement.

7.96.   Marriott’s submissions are to the effect that public statements made

        by the Commissioner      override these changes,      and  as such   she i
        bound to apply i effect the DPA 1998 and/or only apply incremental
        increases to the level of fine that would have been issued under that

        Act. Public statements made by the Commissioner or her staff, which
        are i any event quoted selectively and/or taken out of their proper

        context by Marriott, are incapable of achieving this outcome.


161 Marriott’s First Representations, paras 4.37-4.41. See also Marriott’s First Representations, paras
4.65-4.66, see also Marriott’s SRepresentations, para 1.28-1.31.
                                                                                 187.97.   More specifically, the public statements referred to by Marriott i its
        Representations   were   not intended   to be - and cannot objectively

        be read as - assurances      to any controller that the Commissioner
        would   not use   her powers    on a case    by case   basis, to impose

        effective, proportionate    and  dissuasive   penalties   i  appropriate
        cases.  Marriott disputes this, however, the Commissioner maintains
        her position for the following  reasons:


        a.   Marriott refers to a blog post published     by Elizabeth   Denham
             on 9 August 2017.1      Whilst i i true that the post states that

             the Commissioner     will not “simply scale up penalties” issued
             under the DPA    1998, i also states: “Don’t get me      wrong,  the
             UK  fought   for increased   powers   when   the GDPR    was   being

             drawn   up. Heavy   fines for serious breaches     reflect just how
             important personal data is in the 21°* century world. We intend

             to use those powers proportionately and judiciously.”

        b.   Marriott refers to a speech made    by James Dipple-Johnstone at
             the Data Protection Practitioner’s Conference on 9 April 2018,/°

             however    the  quotation   which    Marriott  selectively  cited  i
             preceded   by a summary      of the approach     the Commissioner

             intended to take, including “we will look at each case on its own
             merits. We'll look at the features and context of each case. And,
             this is important, we will focus on area of greatest risk to people

             - potential or actual harm...    The more    serious,  high impact,
             deliberate,  wilful or repeated   breaches   can expect    the most

             robust response.”

7.98.   There i nothing within these quotations which can be read as giving
        rise to a legitimate expectation that the Commissioner would either:

        (a) issue fines i accordance with the previous maximum        limit which
        applied  under  the DPA   1998   and/or  past cases   issued  under that
        Act; or (b) only apply incremental increases to the level of fine that

        would  have been imposed     under the DPA 1998.16 As made        clear i
        the   blog  and    speech    to  which    Marriott  has    referred,  the

        Commissioner    had always been clear that she would (in accordance
        with her obligations) use her full powers ona case by case basis, to




162 Marriott’s Second Representations, para 1.29(a).
163 Marriott’s Second Representations, para 1.29(b).
164 Marriott’s Second Representations, paras 1.30-1.31.
                                                                               19        impose    effective,   proportionate     and    dissuasive    penalties   i
        appropriate cases, which includes the possibility of large fines.


7.99.   Marriott   accepted     i    its  Second     Representations     that   the
        Commissioner      i   not   constrained    by   the   previous    statutory

        maximum     of £500,000.'©     But i practice, its attempt     to limit the
        Commissioner to only making       incremental increases to the fine level
        that would   have applied under the DPA 1998 amounts          to the same

        thing. The starting point i the application of Article 83 GDPR,          the
        DPA 2018 and the RAP. I i not what the decision would have been

        under a superseded     legal regime.

        The alleged lack of legal certainty

7.100. As set out above, the Commissioner          recognises that i imposing      a

        penalty   on   a controller,   she   must    comply   with   any   relevant
        fundamental    rights that are engaged,     including under the ECHR      or

        the EU Charter.     She  does   not accept,   however,   that the penalty
        regime    applicable   under,   i   particular,  Article  83  GDPR     lacks
        sufficient certainty such that i cannot be lawfully applied. That i i

        effect Marriott’s  case.   I contends    that unless   the Commissioner
        applies  a precedents-based       approach    based   on  decisions   made

        under the DPA 1998, i i impossible for the Commissioner            to meet
        the requirement of legal certainty.1®

7.101.  The   DPA   reflects  the  directly  applicable   EU  law  framework     for

        determining    penalties.   The   Commissioner     does   not  agree   with
        Marriott that Article 83 GDPR or section 155 DPA are so unclear that

        they  are  unlawful.   Taken   together,   those   provisions  specify  the
        circumstances i which a data protection authority has the power to
        impose an administrative penalty, and the matters that are relevant

        to that decision    and  the amount     of any   penalty.  The   legislative
        regime   i supplemented       by the   RAP,   which   provides   additional
        guidance   i this regard.    Contrary   to para 4.60    of Marriott’s  First

        Representations, the RAP cannot be dismissed as “unclear and open-
        ended”.


7.102. Marriott’s submissions on legal certainty are wrong for the following
        seven reasons.



165 Marriott’s Second Representations, para 1.30.
166 Marriott’s First Representations, paras 4.50-4.73.
                                                                                  807.103.  First, in accordance    with  section  161   DPA  2018   the  RAP  was   laid

        before Parliament for approval, and was duly approved.

7.104. In its Second     Representations,    Marriott emphasised      the fact that
        Articles 83(8)-(9) and 70(1)(k) GDPR       “directly envisage and expect”

        that the high-level    principles set out i the legislation will be the
        subject of national or supranational guidance.!®” Pursuant to section

        160 DPA, the Commissioner        i obliged to issue guidance      i respect
        of how   she will determine    the amount    of penalties to be imposed.
        She has done so through the RAP.


7.105.  Second,   the  RAP,  which   must   be read   alongside   the  DPA   and,  in
        particular,  Article  83  GDPR,    provides   sufficient  clarity and   legal

        certainty, as required under the ECHR and EU law. In particular, the
        RAP explains that Step 2 intends to “censure” the breach, and this

        requires taking into consideration its scale (including the number of
        data subjects    affected)  and the severity of the breach       itself, and
        expressly   refers to the factors     set out i the     DPA.   Examples    of

        aggravating    factors  are   set out   i   the  RAP   to assist   with  the
        interpretation   of Step    3, as well    as   mitigating   factors  (to  be

        considered    at Step   5).  Marriott’s  argument     appears   to be that
        because i i possible for the RAP to be more detailed, i must follow
        that the RAP    i insufficiently detailed to fulfil the requirements       of

        legal certainty.  That i not the case.

7.106. I i not suggested       that i i impossible     to produce    more   detailed

        quantification guidance.1®* The GDPR        i a new regime. Whilst not
        necessary    for  the   purposes    of  legal  certainty,   more    detailed

        guidance may well be developed over time as the UK and EU Member
        States   gain   experience    in  applying   i   The   Commissioner      has
        committed     to  updating    the   guidance    available   i   the  future.

        However, the fact that there i potential for further development           of
        the guidance does not mean that the present guidance i so unclear

        as to be unlawful. The      RAP  provides   sufficient guidance   as to the
        circumstances    i which    penalties, including large penalties, will be
        applied.







167 Marriott’s Second Representations, para 1.9.
168 Marriott’s Second Representations, para 1.10.
                                                                                  817.107. Third,   i i neither    necessary   nor possible   to produce    a specific
        quantification framework which tells controllers precisely what level

        of fine they may face.

7.108.  In para 1.9 of its Second    Representations,   Marriott claims that the

        Commissioner    cannot lawfully impose     penalties without setting out
        a further   quantification   methodology.'®?    This   i  incorrect.  The
        guidance   available  from  Article 83 GDPR,     the DPA   and   the RAP,

        cannot  be rejected as legally uncertain     purely on the basis that i
        does  not attempt    to specify exactly what    levels of penalty   might

        attach to wrongdoing.'”°

7.109. I would be impossible for the Commissioner to specify all the types
        of situations, and   relevant circumstances,    i which   a penalty may

        be imposed     under  the GDPR.     Nor  could  any  guidance    permit  a
        controller to calculate specifically what any fine might be (especially

        by reference   to a particular fine). The    guidance   must   be general
        enough   i order to cover a wide range of potential situations, and
        respect the general discretion of the Commission       (subject to public

        law principles). The GDPR    also requires the Commissioner to take a
        case-by-case    approach,   guided   by the   need  to ensure    that any

        penalty i effective, proportionate and dissuasive, and subject to the
        prescribed turnover caps.

7.110. Fourth, contrary to Marriott’s submissions,‘7! there i also no flaw i

        the Commissioner’s approach because, on the particular facts of this
        case,  no adjustments    needed   to be made     at certain steps   i the
        process.  The draft decision explained clearly, i particular, that: (a)

        the need to ensure the penalty i dissuasive was taken into account
        sufficiently under Step 2 such that there was no need for a further

        uplift reflecting the need for the penalty sum to deter others under
        Step 4;172 and (b) the mitigating factors had been taken into account
        under   Step  2, so no adjustment      was   made   at Step    5 to avoid

        ‘double-counting’.   The   fact  that  certain   steps  did   not  require
        adjustments to be made     i a particular case particular case does not

        render  the  RAP,   which  i intended    to be of general     application,
        “deficient” .173


169 Marriott’s Second Representations, para 7.93.
170 Marriott’s Second Representations, paras 1.7-1.10.
171 Marriott’s Second Representations, para 1.34.
172 Marriott’s Second Representations, para 1.34.
173 Marriott’s Second Representations, para 1.10, see also para 1.34.
                                                                                827.111.  In any   event,  to assist  Marriott, the Commissioner      has  dealt with

        the mitigating factors arising i this case under Step 5 of the analysis
        (rather than Step 2, see para 7.40 above)          so that i can see the

        impact of these factors on the overall level of penalty.

7.112. Fifth, as explained     at paragraph     7.68   above,   the  Draft  Internal

        Procedure was not developed and i not relied upon for the purposes
        of meeting    the legal certainty   requirement,    contrary to Marriott’s

        submissions    during the course of the investigation.1’* While i was
        intended to be a helpful supplement to the RAP for internal decision-
        making   purposes,   i has been disregarded       for the purposes    of this

        Notice.

7.113. Sixth, for the reasons given above i respect of Marriott’s legitimate

        expectation   argument,    i i not open      to the  Commissioner     to re-
        impose the different, UK-only, legislative cap on fines i the manner

        sought   by Marriott. The bands which applied under the DPA           1998,
        and   the  decisions   made    under   i   cannot   be  relied  upon   as a

        justification for the Commissioner to fail to comply with EU law.

7.114. Finally, as to the claim made      by Marriott that other bodies, namely

        the FCA   and   the EU Commission,       apply  more   rigorous   and  more
        predictable    rules,  i  i   noted   that   each   regulator   must    take

        enforcement    action within the bounds      of its own   legal obligations,
        and i this case the Commissioner        i bound to comply, i particular,
        with Article 83 of the GDPR.*7°


        Other decisions by the Commissioner / Decisions by other European
        authorities


7.115. Marriott submitted     i its Representations that the proposed        penalty
        i inconsistent with previous action by the Commissioner           and other

        EU supervisory authorities, contrary to the stated aim of GDPR         being
        to create a harmonised     regime. ?’° In its Representations,’”” Marriott

        states that the proposed penalty i (a) inconsistent with action taken
        by other EU supervisory authorities, (b) contrary to the stated aim

        of the GDPR    being a harmonised      regime;  and (c) inconsistent with



174 Marriott’s First Representations, para 4.61 and MarriotRepresentations, para 1.4.
175 The submissiomade  at paras 1.20-1.25 of Marriott’s SRepresentations are noted.
1.12-1.19.tt’s First Representaparas 4.69-4.7and Marriott’s SeconRepresentationsparas
177 Marriott’s Second Representations, paras 1.14-1.19.

                                                                                  83        the decision taken by the Commissioner       i a different case. Marriott

        specifically refers to the following cases:

        a.   the decision by CNIL to impose a €50 million penalty on Google.
             Marriott  contended    that the   infringements    i  Google’s   case

             were more serious than those considered        i this Notice.

        b.   the Austrian Data Protection Authority against Osterreichische

             Post AG, which    was fined €18   million;

        c    a €2.6   million  fine issued   by the   Bulgarian   Commission     of
             Personal   Data  Protection to the Bulgarian     Revenue   Agency   i

             relation to a cyber-attack     which  affected  over 5 million data
             subjects;


        d.   a fine   of €645,000     imposed    on   Morele.net   by   the  Polish
             supervisory authority for a cyber-attack affecting over 2 million

             data subjects;

        e.   a fine of €150,000   impose on Raiffeisen Bank by the Romanian
             supervisory authority concerning      the misuse of customer     data

             by employees    of the bank;

        f    the  Romanian    authority  on  UniCredit   Bank  SA.  The  company

             was  fined  of €130,000   for a breach   of Article 25 GDPR    due to
             the   compromise     of  payment     details,  when    its worldwide
             turnover for 2018    was  of €18  billion; and


        g.   the Commissioner’s     decision   regarding   Doorstep   Dispensaree
             Ltd, dated  20 December     2019.


7.116. The    purpose    of GDPR     i   as   Marriott  contends,    to  secure   a
        harmonised     regime.   However,     that  harmonisation     i   achieved

        through   the application  of harmonised     rules and standards    to the
        particular facts of the case at issue. Any      cross-border    processing
        decision must then be subject to the Article 60 process.


7.117. The   Commissioner,     along   with  other  EU  supervisory    authorities,
        must comply with her obligations under Article 83 and that means

        that she i required to impose a penalty which, i her own judgment,
        having regard to all the matters listed i Article 83, and on the facts

        of the individual case, i effective, proportionate, and dissuasive. In
        principle, ‘equivalent’ breaches should attach ‘equivalent’ penalties.

                                                                                 84        But i practice, each case will turn on its own particular facts. Whilst

        the Commissioner     has considered   the limited information available
        about  the cases  to which   Marriott  has referred,  she maintains   that
        simple comparisons     of the penalties imposed     i different cases do

        not show   that the Commissioner      has erred   i applying    Article 83
        GDPR,   DPA  and/or the RAP.


7.118. There   i a great degree     of variation   i the penalties    imposed   by
        supervisory   authorities  even   i the   context   of the   limited fines
        imposed   to date,?”®   which   are  - i   the  Commissioner’s     view  -

        indicative of a decision-making    process that i fact-specific. I would
        be premature     and  not necessarily    helpful to rely heavily   at this

        juncture  on   a survey   of the   action  taken   by other   supervisory
        authorities, given the relatively few decisions that have been taken

        under the new    regime. This i particularly the case where       there i
        limited  public  information    available  about   the  reasons   for the
        decisions taken by other authorities.


7.119. In any event, as the Commissioner       i acting as lead authority i this
        case, the way to ensure consistency i not by comparing the penalty

        to a selection of other penalties issued on different facts in the EU.
        Rather, the consistency    mechanism     provided   for by Articles 60(4)
        and   63  GDPR    will allow   for all of the   supervisory    authorities

        concerned to cooperate with the Commissioner, make enquiries, and
        contribute  their views   i order    to ensure   the consistency    of the

        ultimate penalty sum with penalties that have been ( there are any)
        and/or will be applied i similar situations. The Article 60 process i

        one  of the factors which,   as noted  in Article 63, contributes   to the
        consistent application of the GDPR and the Commissioner         i entitled
        to rely on the process as a contributory factor.

        (7) Application of the RAP


7.120. In response to the NOI and/or the draft decision, Marriott submitted
        that the Commissioner     had acted contrary to the RAP by: (a) failing

        to consider   separately  the appropriate    fines for the provisionally
        found  breaches of Articles 33 and 34 GDPR,       from those i relation
        to Articles 5(1)(f) and   32 GDPR;     (b) failing to adopt the starting



178 Notably the decision of the FrSA, the CNIL, to fine Goog50 million EuroSee also
https://www.enforcementtracker.cowhich suggests there i significant variation i the level of
fines that have been imposed to date, ranging from a few thousand to millions of pounds.

                                                                                85        point  that  any   penalty   of over   £1   million  i reserved    for very

        significant cases; and/or (c) failing to correctly apply the factors that
        the RAP categorises as determining whether a higher penalty can be
        imposed.+79


7.121.  As to the first issue, the Commissioner      has not included    in her final
        decision  a finding   that Marriott   breached   Article 33 or 34 GDPR.

        Thus, this issue no longer arises.

7.122. The   second    issue  i based    on a misreading     of the RAP.    Marriott
        misunderstood the discussion of the circumstances i which she may

        convene an advisory panel. This point has been addressed above at
        paras 7.76-7.77.


7.123. In   response    to the   draft  decision,   Marriott  submitted    that  the
        Commissioner     i seeking to “reinterpret” the wording       of page 26 of

        the RAP    i this regard.   That   i incorrect. The    section  of the RAP
        which addresses     specifically the setting of a penalty does not refer
        to this concept of “very significant” penalties at all. This language i

        used   only   to  describe    the  types    of  situations   i   which   the
        Commissioner     may convene an advisory panel.!®°


7.124.  Marriott also submitted that the fact that: “the ICO appears to have
        determined     that  this  case   is not   significant   enough    to merit
        convening    the  panel,  which   is entirely  inconsistent   with  the  fine

        imposed and further demonstrates the arbitrariness of this process.”
        181 This submission    i unfounded. The Commissioner         has discretion

        over whether to convene a panel. The reasons why a panel was not
        convened    i this case was      explained   i correspondence,      i.e. this

        decision would    be subject to the Article 60 consultation process. In
        such circumstances,     the panel was unnecessary.       I does not imply
        that this case lacks significance. For the reasons outlined above, this

        case has been found to involve significant breaches of the GDPR.

7.125. The    third   issue   was    also  based    on   a   misinterpretation     or

        misapplication of the RAP. Contrary to Marriott’s submissions, !      ®2 the
        RAP does not set out at page 27 the only categories of cases i which
        i i justifiable for the Commissioner      to impose a high penalty. The


179 Marriott’s First Representaparas 4.42-4.49and Marriott’s SecoRepresentationsparas
1.32-1.34.
180 Page 26 of the RAP.
181 Marriott’s Second Representations, para 1.33.
182 Marriott’s Second Representations, para 1.32.
                                                                                  86        examples   provided   are not to be applied as a list of criteria which

        must be met i any case before a penalty exceeding         £1 million can
        be imposed.   They provide a general indication of the circumstances
        i which a penalty will be higher. The Commissioner       i not therefore

        departing from guidance i a manner which has to be justified.        This
        Penalty Notice explains why the fine set i appropriate.


7.126. The GDPR was enacted i 2016 and came into force two years later.
        Data   controllers,  especially  global  undertakings    of the   size  of
        Marriott, would   have  been   fully aware  of the maximum      penalties

        permitted  by GDPR.    The reference to the sum     of £1 million i the
        RAP  does   no more   than  describe  the circumstances     i which   the

        Commissioner    may   decide to convene    an advisory panel, and page
        27 of the RAP cannot be relied upon to confine the Commissioner’s

        power  to impose    penalties i the manner     sought   by Marriott. The
        decision  as to whether   a penalty   should  be imposed    and  at what
        level, i order to provide an effective, proportionate and dissuasive

        result has to be reached     through   the application  of Article 83(2)
        GDPR   and  section 155  DPA   2018.  It i clear from  the RAP   that the

        Commissioner     will adopt   a case-specific    approach,   taking   into
        account  all relevant considerations.   That i the approach      taken  i
        this case.


        (8) Proportionality

7.127.  Marriott contends that the proposed     penalty set out i the NOI was
        disproportionate   on its face.18? This argument     i not accepted     i

        respect of the provisional penalty that was proposed       i the light of
        the information available at that time.


7.128. I i also not accepted that the penalty proposed i the draft decision
        was  also disproportionate.   That proposed    penalty took account     of
        and reflected the submissions     made   by Marriott i response to the

        NOI. Marriott criticised the approach    taken i the draft decision on
        the basis that the claim that the fine proposed       was  proportionate

        rested inappropriately on a comparison with the level of penalty set
        out i the NOI1®*, That was not the approach taken. Section 7 of the
        draft decision explained clearly the basis upon which, at that time,

        the proposed   penalty was proportionate. In any event, this Penalty
        Notice explains i clear terms why the level of final penalty imposed


183 Marriott’s First Representations, paras 4.74-4.77 and Second Representations, para 1.8.
184 Marriott’s Second Representations, paras 1.8 and 1.40.
                                                                               87       i   proportionate  i   the  light of the   findings  reached   by  the
       Commissioner    (see paragraphs 7.3-7.57 above).

7.129. The mathematical    error made   at para 5.43 of the draft decision i

       noted.?8° No such error i made    at para 7.57 above.

8. HOW     THE PENALTY         IS TO BE PAID


8.1.   The  penalty  must  be paid to the Commissioner’s     office by BACS
       transfer or cheque.

8.2.   The  penalty i not kept by the Commissioner      but will be paid into

       the Consolidated    Fund  which  i the Government’s     general  bank
       account at the Bank of England.


9. ENFORCEMENT           POWERS

9.1.   The Commissioner will not take action to enforce a penalty unless:

          e all or any of the penalty has not been paid;


          e all relevant appeals against the penalty notice and any variation
            of i have either been decided or withdrawn;    and

          e the period for appealing  against the penalty and any variation

            of i has expired.

9.2.   In England, Wales and Northern Ireland, the penalty i recoverable
       by Order of the County    Court or the High Court. In Scotland, the

       penalty can be enforced i the same manner as an extract registered
       decree arbitral bearing a warrant for execution issued by the sheriff
       court of any sheriffdom i Scotland.














185 Marriott’s Second Representations, para 1.41.
                                                                           88Dated the 30° day of October 2020








Elizabeth  Denham
Information  Commissioner


Information  Commissioner’s    Office

Wycliffe House
Water  Lane

Wilmslow
Cheshire

SK9 5AF





































                                                                             89      ANNEX     1


RIGHTS    OF APPEAL     AGAINST     DECISIONS      OF THE   C O M M I S S I O N E R



      1.     Section 162(1) of the Data Protection Act 2018 gives any
             person upon whom     a penalty notice has been served a right of
             appeal to the First-tier Tribunal (Information Rights) (the

             ‘Tribunal’) against the notice.


      2.     I you decide to appeal and i the Tribunal considers:-


             a)    that the notice against which the appeal i brought i

                   not in accordance   with the law; or


             b)    to the extent that the notice involved an exercise of
                   discretion by the Commissioner,     that she ought to have

                   exercised her discretion differently,


             the Tribunal will allow the appeal or substitute such other
             decision as could have been made      by the Commissioner.     In

             any other case the Tribunal will dismiss the appeal.


      3.     You may bring an appeal by serving a notice of appeal on the
             Tribunal at the following address:

                   General Regulatory Chamber

                   HM  Courts & Tribunals Service
                    PO Box 9300

                   Leicester
                   LE1  8DJ


             a)    The notice of appeal should be sent so i i received by

                   the Tribunal within 28 days of the date of the notice.


             b)    I your notice of appeal i late the Tribunal will not
                   admit i unless the Tribunal has extended the time for

                   complying   with this rule.



                                                                               90The notice of appeal should state:-


a)     your name   and address/name     and address of your

       representative  (if any);

b)     an address where documents       may be sent or delivered
       to you;

C)     the name   and address of the Information
       Commissioner;


d)     details of the decision to which the proceedings     relate;


e)     the result that you are seeking;


f      the grounds on which you rely;

g)     you must provide with the notice of appeal a copy of the

       penalty notice or variation  notice;
h)     i you have exceeded     the time limit mentioned    above

       the notice of appeal must include a request for an
       extension of time and the reason why the notice of

       appeal was not provided i time.


Before deciding whether or not to appeal you may wish to
consult your solicitor or another adviser.    At the hearing of an

appeal a party may conduct his case himself or may be
represented   by any person whom      he may appoint for that

purpose.


The statutory provisions concerning appeals to the First-tier
Tribunal (General Regulatory Chamber)       are contained   i

sections  162 and   163 of, and Schedule    16 to, the Data
Protection Act 2018, and Tribunal Procedure (First-tier
Tribunal) (General Regulatory Chamber)       Rules 2009

(Statutory Instrument 2009 No. 1976 (L.20)).








                                                                   91