Privacy due diligence in M & As - What Marriott Hotels’ cyber incident teaches us

12 Jul 2019

UK Information Commissioner’s Office (ICO) has shaken up the privacy world this week. On Monday, 8th of July 2019, it has issued a notice of its intention to fine British Airways 183.39 million GBP for GDPR infringements and the very next day, it hit the privacy headlines by announcing its intention to fine Marriott Hotels 99,200,396 GBP.

Marriott’s case relates to a cyberattack in November 2018 in which a variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA), and 7 million related to U.K. residents.

It is believed that the data compromise began with system vulnerabilities of the Starwood hotels group back in 2014 prior to Marriott acquiring Starwood in 2016 for $12.6 billion. The data breach was only discovered in 2018.

Among the types of data stolen were unencrypted names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences. The database, which the attackers had been accessing was the Starwood Hotels chain's guest reservation database, since decommissioned.

Marriott’s troubles serve as a reminder that in today’s digital age, privacy and security due diligence is imperative during any Merger and Acquisition process and privacy/cybersecurity must be treated as a risk category in its own right.

Commissioner Elizabeth Denham remarked:

‘’The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
‘’Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public’’

The American Bar Association also asserts that it is critical to understand the nature and significance of the target business’ vulnerabilities and the potential scope of the damage that may occur or may have already been occurred in the event of a breach, and the extent and effectiveness of the cyber defenses the target business has put in place to protect itself. It concludes that ‘’an appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.

From the seller’s perspective, there are lessons to be learned as well.  Getting your privacy and security in order is a smart move for preventing any obstacles or hassles which may occur if during due diligence privacy and data security weaknesses are found.


Navigating the Digital Advertising Landscape: Latest Developments and Strategies for Success
Ireland’s DPC imposes a record GDPR fine of €1.2 billion for Meta's EU-U.S. data transfers
MEPs rejected the EU- U.S. Data Privacy Framework
ICO fined TikTok 12.7M GBP over misuse of children's data
Larnaca, Cyprus

32 Konstantinou Paleologou Street,
The Square, 2nd Floor,
6036 Larnaca, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 99 470 484

Click here to Subscribe