Donald Rumsfeld and the UK Information Commissioner’s Office don’t seem like natural bedfellows. But reading the ICO’s recent penalty notice against Marriott International got me thinking of Rumsfeld’s classic line about there being unknown unknowns – the things we don’t know we don’t know.

Back in July 2019, the ICO in its intention to fine notice claimed that Marriott “failed to undertake sufficient due diligence when it bought” Starwood Hotels & Resorts in 2016. That’s important because it was a cyber attack on Starwood’s systems, which Marriott only discovered in September 2018 and subsequently notified, that led to the £18 million fine imposed by the ICO on Friday.

Starwood reportedly was unaware of the attack. Which is where Donald comes in: if a target company doesn’t know it’s been compromised – which for most hackers is kinda the point – it’s also going to be difficult for an acquirer to uncover that information. The Starwood acquisition took place in 2016, when the GDPR was not the four-letter word it is now. But even today there’s a limit on the scope and type of diligence that buyers will conduct on even the most data-heavy businesses. Unless you’re scanning the dark web for stolen databases, conducting pen tests (good luck with most targets agreeing to that) and more, there will, or could, be things you don’t know you don’t know.

What should buyers be doing?

  • Step 1: ensure the transaction documents cover both the known knowns and the unknowns unknowns. This could mean avoiding awareness-based reps and warranties, and pushing to extend typical indemnity periods. Contrast this with the Starwood/Marriott merger papers, which contained no privacy or security reps and warranties.
  • Step 2: during the 100-day period and beyond, thoroughly review and (if needed) invest in robust security measures for your new entity, even if these measures aren’t designed to address a specific known incident. The ICO’s penalty notice makes clear that Marriott could have detected the Starwood attack earlier had it monitored user accounts and databases – and future enforcement actions are also likely to consider companies' steps in this regard as a point in mitigation or aggravation, as the case may be.

So, whether you know you know, you know you don’t know, or you don’t know you don’t know, don’t overlook privacy and security diligence. As Marriott now knows, it could be a costly decision.