09 Jul Poor privacy due diligence. Price: €110 290 061
Following an extensive investigation, The Information Commissioner’s Office (ICO) in the UK intends to fine Marriott International €110 290 061 for infringements of the General Data Protection Regulation (GDPR).
The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA).
It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood.
The fine puts its finger on the need to perform a substantial privacy due diligence when acquiring companies, especially when the acquisition is made for merging with existing business.
The fines of GDPR are based on a theoretical maximum of 4% of the annual turnover on group level. GDPR does not take into consideration when the vulnerability occurred, nor the turnover at that point.
This makes privacy regulations similar to environmental laws, where any purchaser inherits all responsibility for errors committed in the past. Just taking a companies word that they are GDPR-compliant will not suffice, a thorough assessment must be done of where personal data actually exists, and if that corresponds to the documentation according to article 30.
In tech, we have seen this for a long time. An investor does not only control that processes for development, substantial resources are also spent to conduct a code review, to make sure the described processes and documentation have been followed by the organization.
The potential risk of inheriting responsibility for poor privacy standards should make such a thorough privacy due diligence mandatory for all investors.