Hot on the heals of the recent announcement from the Information Commissioner’s Office (ICO) that they are intending to fine British Airways a record £183.39M for infringements of the General Data Protection Regulation (GDPR), another notice of intention to fine has been announced. This time it is Marriott International, the international hotel group and the fine is £99,200,396 for infringements of the GDPR after hackers stole the records of 339 million guests, 7 million being UK residents.
Marriott acquired Starwood hotels group in 2016 but it is thought that the vulnerability began back in 2014. The exposure of customer information was then not discovered until 2018 but the ICO’s investigation has concluded that Marriott failed to undertake appropriate due diligence when it bought Starwood and should have done more to secure its systems. Information Commissioner, Elizabeth Denham said:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”.
The fine is a cautionary tale for companies looking to expand and to acquire other businesses as Andrew Morgan, Partner and Head of Corporate & Commercial at JPC Law comments “This is a prime example of the importance of thorough and extensive due diligence in corporate transactions. It is so important to fully understand the business that you are buying and the potential issues and exposures that there might be for you in the future which can only be achieved by going through the correct due process”.
If you need advice in relation to GDPR, please contact Julie Edmonds, Head of Employment by email: email@example.com, or by telephone 0207 644 7286 or contact her on LinkedIn or if you are looking to acquire a business, contact Andrew Morgan, Head of Corporate and Commercial by email: firstname.lastname@example.org or by telephone 020 7644 6303 or contact him on LinkedIn.