M&A Due Diligence and the GDPR Class Action Lawsuits?

An interesting class action lawsuit (“representative legal action”) has been filed in the UK against Marriott International for the breach it experienced last year. The lawsuit, details of which can be found online, should be considered a development in what could become the next big headache for #privacy #informationsecurity and #dataprotection professionals. Before delving into the details of this legal action, here is a quick refresh on the breach.

How critical is M&A due diligence to data breach reporting?

From 2014 to 2018, hackers gained access to Starwood Hotels Group’s systems that contained customer personal data. Marriott acquired Starwood in 2016 and did not detect the breach either. The UK’s Information Commissioner’s Office (ICO) found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Marriot was fined about $130 million by the ICO. In a statement, the UK’s Information Commissioner Elizabeth Denham indicated that the high fine is due to Marriott’s failure of accountability demonstrated by its lacking due diligence when acquiring Starwood.

What is so interesting about the legal action against Marriott?

  • The breached personal data was not sensitive. Hackers gained access to names, email and postal addresses, telephone numbers, gender, and credit card data. The data did not include the special categories of personal data that are listed in Article 9 of the General Data Protection Regulation. In fact, most of the exposed elements are commonly shared or easily found in public sources.
  • No claim of harm to the impacted individuals. This legal action goes after Marriott for failing to demonstrate accountability over personal data, as stated by Commissioner Denham, not because any of the exposed customers were adversely impacted by the breach. If anyone should have a legitimate claim of harm against Marriott, it’s the credit card companies that must pay for the fraudulent transactions on their cards, not the cardholders.
  • Legal financing firms show an interest in privacy. Companies that make their money by funding lawsuits and taking a percentage of the settlement (sometimes referred to as litigation funders) are starting to pay attention to the data protection space. This legal action is being fully funded by Harbour Litigation Funding, a global litigation funder. Pay attention data professionals – the sharks are circling your boat!
  • Class action lawsuits are not common in the European Economic Area. Most people associate these types of legal actions with the American litigation system. However, it should be known, that class action lawsuits are not an American invention. This type of legal action started in the UK. More importantly, for those companies falling under the jurisdiction of the GDPR, a cursory review of legal mechanisms in Europe, shows that Italy, the Netherland, Poland, and Spain also allow for class action suits for the protection of consumers.

What can we learn from this case?

Here is what we can learn from this case about data and M&A accountability failures that can lead to legal action.

  1. First, find all the personal data. Don’t just look for the data of EEA residents. The GDPR cast a wide net of applicability that goes beyond the data subjects’ country of residence.
  2. Don’t just protect the data, minimize it. Data minimization can be applied with various means, including masking and encryption, and can be based on the data location (e.g., not putting all your eggs in one basket), volume, users’ roles, and data retention considerations.
  3. When acquiring or merging with another company, assess and remediate any gaps in implementing the appropriate privacy and security controls.
  4. You can’t be breach-proof, but with the right tools, you can be smart about detecting and stopping breaches. Furthermore, once detected, you must follow the relevant breach reporting requirements.

These four points cannot be addressed through internal surveys, interviews, and training. To do it right, you must adopt technology solutions. Adopting new technologies requires an investment of time and money, but so does addressing corrective actions from regulators and class action lawsuits. Can you guess which one is more costly?

About the author:

Sagi Leizerov, Ph.D., SVP Enterprise Privacy Solutions at Dataguise

Sagi is a Certified Information Privacy Professional (CIPP/US) with over 20 years of privacy and data governance experience. You can check out his full bio here.