On September 29, 2022, the Office of the Privacy Commissioner of Canada (the OPC) published the results of its investigation into the 2018 data breach involving Marriott International, Inc. (Marriott), finding many of the hotel giant’s privacy controls inadequate and recommending remedial steps to prevent future breaches.

Marriott announced that it experienced a data breach involving the unauthorized access of a Starwood Hotels (Starwood) database on November 30, 2018, as previously reported by the E-TIPS® Newsletter here. Starwood is a separate hospitality company that was acquired by Marriott in 2016, with the unauthorized access reportedly starting before the acquisition (i.e., spanning from 2014 to 2018). The threat actor reportedly obtained access to personal information contained in up to 12.8 million records where the country-of-residence information was listed as Canada. These records included information on guest profiles and contact details, guest reservations, passport details, and encrypted payment card information.

The incident prompted the OPC to launch an investigation into Marriott’s primary operating company for Canadian hotels, Luxury Hotels International of Canada, ULC. During the investigation, the OPC considered the following key issues:

  1. Safeguards. The OPC reviewed whether there were proper information security safeguards in place to protect personal information. It found several deficiencies in its investigation, including with respect to access controls, anti-virus software, logging and monitoring, and information storage. The OPC found that these deficiencies represented a failure to implement proper protection measures and were a contravention of Principle 4.7 of the Personal Information Protection and Electronic Documents Act (PIPEDA).
  2. Accountability. Following the acquisition of Starwood, Marriott was accountable for implementing policies to properly protect personal information. The OPC found that despite undergoing a post-acquisition assessment of Starwood’s systems and making certain improvements, Marriott failed to adequately perform ongoing security assessments in contravention of Principle 4.1.4 of PIPEDA.
  3. Information Retention. The OPC determined whether the compromised information was held for an appropriate period of time and found that certain personal information was retained for longer periods than necessary in violation of Principle 4.5 of PIPEDA.
  4. Notification and Mitigation. Given that the OPC considered the compromised information as presenting an ongoing risk of harm for those affected, it reviewed whether appropriate notification and mitigation measures were used in response to the breach. Marriott conducted both direct notification for those individuals in which it had a valid email address and indirect notification for the remaining individuals (e.g. issuing press releases and providing breach information on a dedicated website). Additionally, Marriott implemented various mitigation measures, such as offering one year of free web monitoring to affected individuals, establishing a dedicated call centre, implementing a process for individuals to verify whether a passport number was involved in the breach, and notifying credit card networks of the incident. Although the OPC would have preferred the web monitoring protection to be for a longer time period, it ultimately found the above notification and mitigation measures to be adequate.

In concluding its report, the OPC acknowledged the remedial steps carried out by Marriott, such as the decommissioning of the Starwood database in December 2018. It also recommended implementing further action to ensure compliance, including having Marriott (i) retain an independent assessor to review any enhancements it has made to its systems; and (ii) review its organizational and governance measures as it relates to selected privacy practices. With both recommendations, the OPC requested that Marriott submit reports detailing their findings and proposed timelines for addressing any action items arising from the reviews.

Summary By: Imtiaz Karamat


22 10 19

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.