The GDPR Implications Of Weak Due Diligence

Recently the news broke that the Information Commissioners Office (ICO) has begun to flex its muscles and ramp up the penalties for breaching GDPR, with both British Airways and Marriot International on the receiving end of monumental fines for the personal data breaches they reported in 2018 (183m fine – 1.5% of turnover and £99.2m fine – 3% respectively). 

The article we shared last week delved into the issue and discussed the implications, especially to SME’s of the ICO beginning to take significant steps to enforce GDPR to the full extent of their power. However, this week we want to raise awareness of the source of source of Marriots breach and the implications this can have for your business.

It is believed that the breach originated from an incident where the systems of Starwood hotels group were compromised in 2014, two years prior to Marriot acquiring Starwood in 2016. Therefore the ICO found that Marriott had failed to undertake sufficient due diligence when it acquired Starwood and should also have done more to secure its systems which was the reason the fine was imposed.

However, it was 2018 before Marriott notified the ICO that personal data of 339 million guest records were exposed, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

Mergers and Acquisitions (M&As) are a key business strategy for many organisations looking to expand into new markets, increase market share and streamline their businesses. However, as in the case of Marriot, there are many Cyber Security risks to consider, many of which may not have even been identified when the M&A process began.

Completion of the M&A process shouldn’t signal the end of your due diligence. Cyber Security isn’t a one off, but an ongoing process to protect your business and your clients from threats which may seek to harm them.

In the case of Marriot it took 4 years from the breach occurring to customers being notified that their personal information had been stolen. However, with stronger due diligence during the acquisition process and ongoing protections in place, the time to discover a potential breach would likely have been much shorter.

With these protections in place Marriot would have potentially been able to avoid the breach which led to the theft of customer data completely and avoided the fine for breaching GDPR. Even if this wasn’t the case, in the event the breach did occur they would have been able to demonstrate they had taken substantial steps to secure customer data which would have made an impact in minimising their penalty for breaching the regulations.

Whether your organisation is considering a merger or acquisition and you are looking to perform your due diligence or you are interested in implementing ongoing Cyber Security protections to demonstrate your compliancy with GDPR, please get in touch and one of our specialists will get back to you within one business day. 

© SES Secure Limited and ses-escrow.co.uk, 2019. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.