Marriott's got 99 million problems and the ICO's one: Starwood hack mega-fine looms over The UK's Information Commissioner's Office wants to fine Marriott Hotels £99m over its loss of 383 million customer booking records last year. The almost-but-not-quite-£100m sum (£99,200,396) was disclosed in a US regulatory filing by Marriott, which said: "Marriott has the right to respond before any final determination is …
We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott clearly we failed so we think the punishment is appropriate.
Wouldn't that actually be more encouraging to potential customers than the transparently untrue garbage? Contrition is more convincing than bluster.
"Wouldn't that actually be more encouraging to potential customers than the transparently untrue garbage? Contrition is more convincing than bluster."
Normally I would agree however given that this problem was acquired rather than being of Marriot's making AND they appear to have been open and honest about it and cleaning it up, I think they have been contrite.
Marriott have put aside upto £100m for the fine - while they're challenging the decision is this a case of not accepting the legal liability, accepting the fine and challenging the amount? Or not accepting they should be fined, because I don't
From previous accounts, Marriott appeared to have a robust internal data security policy given their ability to detect an intrusion and publicly disclosed what happened and have fully co-operated with the investigation. The challenge was in discovering just how broken Starwoods data security systems were prior to the acquisition and then subsequently during the integration of the companies.
"Not when they propose challenging the decision."
They have an obligation to their shareholders to fight this ridiculous fine and not simply roll over.
I wonder how many of you would be singing a different song if it was the state of California suing an UK company, based upon a California law, and demanding outrageous fines that would simply go into the Sacramento coffers? Something to consider...
As usual. £99m is totally inconsequential. How about a nice round £1000 for each British citizen whose data they failed to secure? At the very least, the fine should be significantly more than it would have cost to implement proper security, train staff, and generally get serious about protecting their customers. Otherwise why would any rational corporation do the latter?
Why just "British citizens"? I guess there could be a bunch of tourists staying in Britain as well - plus the ICO's investigation was "on behalf of the EU states". And the data breach was not limited to a certain country, with Pompeo twittering about it...
But I do agree that these fines should hurt. A lot.
There are three plausible jurisdictional theories that can be employed here:
1. The offense occurred wherever the corporation is headquartered, in this case the USA. Since the ICO is involved, I surmise this is not the theory being employed in this instance.
2. The offense occurred wherever the data was being stored, almost certainly also the USA.
3. The offense occurred wherever someone lives (or is a citizen) whose data was not properly protected.
I'm assuming that the basis for UK jurisdiction here is theory (3), in which case I fail to understand how the ICO can properly punish a USA corporation for failing to protect the data of (for example) USA citizens stored in the USA. We rightly raise hell when the USA government tries to assert global jurisdiction, and I fail to see any real distinction here. That for example California has not fined them billions of dollars as well is a mystery to me as it certainly seems that they would have the power to do so under the same jurisdictional theory, and for entirely separate offenses from those committed against citizens of EU member states.
That said, I do amend my claim to include all citizens of EU member states, since the ICO was acting in that context. Either way, it should be well into double digit billions of whatever currency unit we're discussing.
The basis is EU GDPR law. If you're doing business in the EU, you have to comply. The (British) ICO is taking this up on behalf of the EU, though I'm curious about where the fine goes to. $4 per head doesn't go far in covering individuals against ID theft, but presumably the ruling makes it easier for customers to make their claims for actual losses.
I don't know California law, but they're welcome to prosecute as well if they don't feel the company has been punished sufficiently.
I can see a fun future where countries race to get their prosecutions in "on behalf of the world" ;-)
"The (British) ICO is taking this up on behalf of the EU, though I'm curious about where the fine goes to."
Presumably similar to the breakdown from the BA fine:
https://www.bbc.co.uk/news/business-48905907
"The penalty is divided up between the other European data authorities, while the money that comes to the ICO goes directly to the Treasury."
I haven't seen any information on exactly how the split between countries is decided. Presumably it's on a case-by-case basis depending on how many people were affected in different places.
Marriott Isn't just a single company, like all multinationals they have hundreds of separate legal entities spread across all the countries they do business in. (mainly to firewall liability)
This one is well within the ICOs remit
Marriott Hotel Limited - Registered office address - 4th Floor, 45 Monmouth Street, London, England, WC2H 9DG
As an EU based company they're nailed for not looking after EU citizens data and the ruling will be enforced across the entire EU. I doubt we'll see any attempts to fine companies that have no EU representation even if that is technically covered by the legislation but it could be interesting to see what happens if a foreign company that has suffered a breach later opens a EU operation.
In the near future I expect there to be many more hugh GDPR fines for all manner of companies as the regulators across Europe bring completed investigations to the party.
Personally, I think that as the Marriott breach lasted years, the fine should be per-annum.
"As an EU based company they're nailed for not looking after EU citizens data"
The fact that they're an EU company doesn't affect the issue although it would make non-payment a bit easier to deal with. Nor does their being multiple entities which don't, in this case, firewall legal
liabilities. The salient fact is that EU residents' data was involved.
If you're referring to the California Consumer Privacy Act, that doesn't take effect until 2020, so California can't impose any penalties based on that law for this breach. By 2020, I'm sure the various amendments proposed by the many definitely consumer-oriented organizations founded just after the CCPA was passed because some consumers in Mountainview and Menlo Park were just that interested will have been installed in the law and it won't have any effect then either.
"I fail to understand how the ICO can properly punish a USA corporation for failing to protect the data of (for example) USA citizens stored in the USA"
It can't. As far as the ICO or any EU regulator is concerned it can lose millions of US citizens' data every day of the week providing none of them are EU residents. That's the criterion: EU residence.
So the company is targeted by a State-sponsored entity in a cyberwar skirmish between superpowers, and yet it is supposed to fall on its sword for being the victim? Perhaps you will pay all your neighbors when your house is burglarized because you made their insurance rates go up?
If your house is burgled because you left all the doors and windows wide open and put up a sign reading "on holiday for 6 weeks", that wouldn't be unfair.
State actors have created absurd advantages for themselves over anyone else when it comes to physical, mechanical warfare. The same is not true when we're talking about data security. A clever individual or a corporation with the kind of resources that Marriott International has can defeat this kind of threat, and I would argue is obligated to make every reasonable attempt to do so.
It's one thing for China to employ sleepers who take IT security jobs with a foreign target corporation, corrupt their auditing software, and send their customers' data back to the PLA. That's difficult (though not entirely impossible) to defend against, but it's also very risky for China: phrases like "international incident" and "act of war" get thrown about, as well as a fairly automatic espionage conviction. It's another thing entirely to simply not bother training staff, employing industry best practices, or really making any kind of effort at all to prevent unauthorised remote access, which is how 99%+ of all these breaches occur. If you want to argue that you couldn't possibly have prevented the breach because it was orchestrated by a state actor, you should have to prove that your countermeasures were strong enough that only a state actor could have pulled it off. Good luck with that.
There's a clear difference between you getting burgled and a company having customer data stolen from them. I'll lay it out for you:
You get burgled: your stuff is gone. At the very least, you have to go through the insurance claims process and purchase new possessions. Usually, you're out quite a bit of value.
Company has information stolen: Customers have to worry about account compromises and identity theft. Without laws like these, the worst the company itself has to deal with is the risk that people might try to avoid their hotels. Given that this is not a market with an infinite number of participants, that isn't a major risk.
There's the difference. When the negative event only harms you, we don't penalize you for the consequences. When it does, we can look into whether you were at fault. That doesn't mean that you or the company in this case is at fault for the whole thing, and their sentence isn't of the kind you'd get for actually performing that breach, but it is a perfect case for laws against negligence leading to harm, and data protection law better formalizes that in the specific case of data loss. I hope the ICO takes this into account, as a breach can happen to anyone no matter how much security they've done, but I don't see any evidence that they have not.
"it is supposed to fall on its sword for being the victim?"
You have a bank account containing a thousand of your local currency units. The bank is robbed and can no longer return your deposit. But I take it you don't care because it was the bank that was robbed, not you.
Regardless, at least the ICO is starting to impose fines than DO appear on the balance sheet as tangible numbers, not the piddling £10,000 £250,000 fines of the last decade or so, that were nothing more than rounding errors.
And, frankly, Marriot's response is leagues ahead of BA's in terms of admission. BA's was nothing more than and indignant 'harrumpf' and a plaintive "we are unaware of any loss to anyone [so why should we be fined]" bleat.
The fines are based on several criteria according to the GDPR and ICO policy. Firstly the GDPR lays out maximum fines. Secondly the ICO makes a decision based not only on the nature of the event but also on the approach of the offender. A non-cooperative business is going to see much bigger fines. It appears that Marriott were cooperative but their self-serving statement and intention to challenge the fine leads me to think that top management have not learned their lesson and the fine should be bigger and if I were a potential customer I'd maybe look elsewhere.
On the other hand, I can where Marriot and their lawyers are coming from. This is all new legal territory and they want to challenge it to reduce the fine because they think their reading of the law is different to that of the ICO. Whatever the outcome, it creates precedent and case law. It may be that the ICO have misinterpreted the law and scale of the penalty. It might end up being higher.
They need to check that hotel next. Jan or Feb 2018 its security was shockingly shit. They weren't even isolating the WIFI network. They attempted to fix some of the issues while I was there when I reported it. But how long it had been insecure is anyone's guess. And unless they've sorted it since I suspect they probably have other issues.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
