When Marriott bought Starwood Hotels & Resorts Worldwide, the deal was about data. But Marriott failed to carry out insufficient due diligence, or so the ICO found. Now it is the second company in two days, not to mention the second company in two days operating in the travel business, to fall victim to the ICO’s wrath. The Marriott and BA GDPR fines highlight the importance of privacy by design and default — a key part of GDPR — but also of security by design.
Marriott did in fact fork out $13.6 billion for Starwood, now it is apparently on course for a £99 million fine, or around $125 million, from the ICO. It isn’t confirmed yet, the ICO has merely said it intends to fine the company. That’s a lot of money, but given that the merger cost more than 100 times that, it may not seem so crippling. Then again, most of the merger was cost was funded by paper transaction — Starwood shareholders received 34% of Marriott stock. The cash component boiled down to just $340 million. Given this, all of a sudden the $125 million fine seems massive. In 2018, its full year fee revenue came to $3.8billion EBITDA.
BA’s revenue in 2018 was £13 billion, but its parent company, IAG, saw revenue of £22 billion. So the Marriott and BA GDPR fines, while they were huge, still fell along way short of the maximum fines that can be issued under GDPR — 2% or 4%, depending on the circumstances.
ICO bares its teeth as it fines BA close to 1% of parent company’s turnover
Even so, the ICO has now proved, if such proof was ever required, that GDPR was no millennium bug, as cynics had claimed. These fines will hurt, but they won’t be crippling. And indeed both companies may appeal, the Marriott and BA GDPR fines may eventually be reduced, but they will send out a clear message to all — take the requirements of GDPR seriously, or you may pay a massive price.
In the case of Marriot, the fine relates to a cyber incident that occurred in 2014 at Starwood. Marriott acquired Starwood in 2016 but was unaware of the breach until 2018. The ICO said: “A variety of personal data contained in approximately 339 million guest records globally, were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.”
Marriott’s sin, according to the ICO, was that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
GDPR anniversary: has the regulation backfired? What next?
The rationale behind the Marriott Starwood merger was to combine the loyalty schemes that the two companies operated. Many regular business travellers often favoured one of the two hotel chains in their travels in order to acquire loyalty points to fund private stays. There were even reports of business travellers taking unnecessary trips to get their loyalty points to a certain threshold.
For Marriott, the deal meant of course an opportunity to create greater loyalty, not to mention acquire masses of valuable data.
In the case of the BA breach, just as happened at Starwood, there was a massive delay between breach and the company becoming aware of it.
A key part of GDPR is privacy by design and default. But the problem in the case of Marriott was not so much failure to acquire proper consents — it was very much in the interest of travellers collecting bonus points to have their data stored by the company.
QRather the failure, just as was the case with BA, was one of security — so poor, that they didn’t know about the breach until after an extended time lag.
GDPR may require privacy by design, but organisations are waking up to the need for security by design too.
If digital transformation is about putting the customer at the core of an organisation, this is no good unless for that customer privacy is built in at the core of new products, but neither is it any good unless security is built in either.
The Marriott and BA GDPR fines show that organisations wanting to avoid massive fines must apply security by design, but they must also do this of course, in order to build trust with customers too.