Privacy Commissioner decision provides guidance for parties to M&A transactions

Éloïse Gratton November 17, 2022

The Privacy Commissioner of Canada’s decision regarding the Starwood/Marriott data security breach provides important guidance for parties to M&A transactions and for all organizations that handle personal information.

Marriott International (Marriott) acquired Starwood Hotels (Starwood) through a share purchase transaction in September 2016. Marriott assessed Starwood’s IT practices as part of the transaction due diligence. After the transaction, the Starwood and Marriott computer networks were kept separate, and Marriott implemented measures to improve the security of the Starwood network until it could be decommissioned. Marriott planned to integrate aspects of the networks within 18 months, but the integration was not completed until December 2018.

In September 2018, Marriott discovered a breach of the Starwood network involving unauthorized access to a Starwood guest reservation database of up to approximately 339 million customer records (including up to 12.8 million records of Canadian individuals) that included guest profiles and contact details, account and reservation information, and for some individuals passport details (which in some cases was unencrypted) and encrypted payment card details. The breach occurred over four years – from July 2014 until September 2018. The unknown attacker took steps to prepare to exfiltrate data from the Starwood network, but Marriott was unable to determine whether the attacker had successfully done so.

In November 2018, Marriott publicly announced the breach and reported the breach to the Office of the Privacy Commissioner of Canada (OPC). Marriott contained and investigated the breach, gave affected individuals direct and indirect notice of the breach, decommissioned the Starwood database, and enhanced the security safeguards of its systems based on lessons learned from the breach. Class action lawsuits relating to the breach were commenced against Marriott in Canada and the United States, and the United Kingdom Information Commissioner’s Office investigated the breach.

Read our bulletin on this topic.

This content has been updated on December 14, 2022 at 15 h 12 min.

Éloïse Gratton

Privacy & Data Protection Law

Privacy Commissioner decision provides guidance for parties to M&A transactions

Data governance and privacy risks in Canada: A checklist for boards and c-suite

An Update on New Québec Confidentiality Incidents and Record-Keeping Requirements

The inside scoop on how to become a privacy lawyer: 10 tips from the top

Preparing for the Privacy Reform in Canada

Getting Ready for Québec’s New Privacy Law in 2023 (Part 1): Using what we know so far

Getting Ready for Quebec’s New Privacy Law in 2023 (Part 2): Navigating uncertainty in the Law

Une fugitive recherchée depuis 30 ans, capturée à Berlin grâce à la reconnaissance faciale

CBC Windsor Morning Radio Show

La Cour suprême vient compliquer les cyberenquêtes

Une fugitive capturée à Berlin grâce à la reconnaissance faciale

Aide-mémoire en matière de protection de la vie privée et de sécurité des renseignements personnels

Lucky 7 data privacy and security cheat sheet