The ICO fine against Marriott

The decision is of particular importance for acquisitions because the breach took place at Starwood Hotels before its acquisition by Marriott in September 2016. At the time of the acquisition, the attackers had been in Starwood’s network infrastructure for approximately two years, yet Marriott suffered the fine and the associated costs.

I want to focus on the implications for acquisition due diligence and two other takeaways: (i) the importance of not focusing on one part of your security to the exclusion of others and (ii) that relying on third parties to manage your cyber risk does not give you a ‘get out of jail free’ card.

The ICO recognizes the challenges with pre-acquisition due diligence.

In 2014 Starwood’s systems were compromised. Following its acquisition of Starwood in 2016 and despite not having discovered the breach or having been involved in the security failings that led to the breach, the continuing cyberattack became Marriott’s problem to contend with.

Marriott has said that it “was only able to carry out limited due diligence” prior to the acquisition of Starwood in 2016. The ICO declined to make any findings in the period prior to the GDPR coming into force in May 2018 (noting it had “not determined whether or not it was possible for Marriott to conduct due diligence during a takeover“). Yet the ICO went on to acknowledge that there “may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover.” There are several reasons for that. First, there is no general duty of disclosure on a seller (under English law) and, accordingly, a buyer is reliant on the information it is able to obtain from the seller via Q&A (noting that a seller may be liable in fraud for withholding information). Secondly, in a (UK public) takeover process, a bidder is generally limited to publicly available information and certain categories of nonsensitive information (because, in the UK, any competing bidder is entitled to receive the same information as the original bidder). The pressure to close in a timely fashion, a competitive process, the complexity of properly vetting the target business may all contribute to further limit access for due diligence. Nevertheless, the acquiring business needs to think carefully about the questions they ask in diligence with respect to cybersecurity: it is critical to understand the state of the security in place from the outset so that changes can be made immediately after completion. Such businesses may also want to consider whether they engage specialist external cybersecurity firms to help frame and/or conduct their due diligence exercise.

This reliance on diligence cannot be a defense. In fact, despite the limited assessment noted above, the ICO found that Marriott had been right to rely on certain information concerning the application of multi-factor authentication (“MFA“) to a critical system called the Cardholder Data Environment (“CDE“). That information, which comprised two reports by independent assessors (one issued pre-acquisition and the other post-acquisition), led Marriott to incorrectly believe that MFA was in place across the entirety of the CDE. The ICO concluded that Marriott “did not breach its obligations under the GDPR by relying upon” the reports and so did not consider MFA failings in coming to its decision.

Alongside robust due diligence, buyers should also ensure that adequate warranty and indemnity protection is sought in any definitive acquisition documentation. Buyers may also want to consider the merits of taking out a specific insurance policy, which may be able to cover a breach of any representations and warranties included in any definitive acquisition agreement. Of course the scope and strength of the cover under any such policy is likely to be dependent on the robustness and strength of the buy-side due diligence exercise.

The process of compliance does not of course stop post-acquisition regardless of what was learned during due diligence. The ICO recognized that an acquisition is “a trigger”, the “need for a controller to conduct due diligence in respect of its data operations is not time-limited or a ‘one-off’ requirement.” Therefore, businesses cannot be complacent post-acquisition: they must ensure that the IT network they have acquired meets the appropriate technical and organizational measures required by law and to ensure that any deficiencies are identified and addressed as soon as possible post-acquisition. This is vital for compliance, and, as the Marriott case shows, it is also essential to stand a chance of identifying an in-progress or imminent attack on the network you now own. Privacy and cybersecurity risk assessments should now be a key element of all post-acquisition work.

Don’t focus on one part of your security to the exclusion of all others.

The second takeaway is the importance of not focusing on one part of your security to the exclusion of all others.

Marriott was criticized by the ICO for focusing on protecting payment card information (“PCI“) above other security risks. Protecting PCI is critically important given it is likely to be among the most sensitive data that most businesses hold on data subjects. The ICO acknowledged that a “risk-based approach” was required, and that PCI data was “likely to be the highest risk category” warranting higher security than other data. But the ICO considered Marriott to have failed to implement appropriate technical and organizational measures to ensure an “appropriate level of overall security for all other personal data.”

Marriott was criticized over the lack of logging and monitoring it had in place to detect and mitigate attacks. The system that it had was only set up to issue alerts in respect to PCI data. The ICO concluded that “while a risk-based approach may require payment card data to have additional security alerts, this does not justify a complete lack of alerts on other personal data.”

While the penalty notice repeatedly stresses that no one cybersecurity measure is a panacea against attack, that is not a defense when it comes to discharging your duty under the GDPR. Businesses need a comprehensive strategy to understand what personal data they hold and what security should be in place before moving to a risk-based approach to identify where additional security might be required.

You can’t outsource the risk.

The final takeaway worth noting is the ICO’s rejection of arguments that Marriott’s decision to outsource aspects of Starwood’s security management to a consultant “should be taken into account in assessing Marriott’s responsibility for the Attack.”

In rejecting that argument, the ICO found that engagement of a third-party consultant “does not reduce Marriott’s responsibility for the breaches of the GDPR” and that “the engagement of third parties cannot reduce their degree of responsibility.” We are all aware that in the US your data is your data and while you may have a cause of action against an outsourced vendor YOU and you alone remain liable for your data.

Although not surprising it does create difficulty for businesses lacking Marriott’s resources. To what extent is it reasonable for smaller businesses to rely on expert security providers? While they might not be as obvious a target as Marriott, ransomware is still a disproportionate problem for small- and medium-sized businesses, with around 60% of attacks affecting businesses with revenue of less than US$50 million. It will be difficult for those businesses to demonstrate compliance with the GDPR unless they rely on advice from cybersecurity experts.

Thus, the complexity of the cybersecurity issues means that while every business has a different risk profile requiring a different approach to cybersecurity seeking expert cybersecurity advice is likely to be vital in most cases. However, businesses must not consider that such advice absolves them of liability or the responsibility to monitor and understand the risks.

Businesses must take that advice seriously and avoid shelving difficult discussions. The business will be held responsible for the decisions that are made in response to that advice, and it is not for the regulator to judge whether that advice was properly given, or the services were properly performed. And given the complexity of the issue in satisfying their responsibility boards will need to consider if they have the technical ability in the business to properly monitor such advice.

Lessons learnt

While many blogs focus on the fine Marriott faced this is not the most important takeaway in my view Organizations can learn a lot from understanding what lies behind the fine and can take steps to mitigate their cyber and privacy risk.

1. Ensure appropriate attention to cyber and privacy in both pre-acquisition due diligence and post-acquisition integration and consider appropriate warranty protection to mitigate the risk.
2. Take an organizational approach to assessing risk. While the GDPR allows for a risk-based approach to privacy and cybersecurity, it is necessary to assess that risk across all types of personal data and not simply focus on obvious areas of high risk.
3. While it is good practice for companies to supplement their own cybersecurity and privacy teams by using outside consultants as necessary, the company will remain accountable. Data controllers must therefore ensure they do not over rely on third parties and make sure they are satisfying themselves that they understand the cyber and privacy risks.

Richard Freiberg
Profitability Consultant
Richard Freiberg CPA PC
Phone (980)339-3352
Cell (914)393-0033
www.rmfreibergcpa.com
LinkedIn
to subscribe to Cyber Insights Today
to subscribe to LinkedIn Newsletter Cyber Security

Providing valuable counsel to help boost your company’s bottom line, while navigating competitive forces, industry, and economic risks in today’s challenging environment