The MPN sets out that the ICO is not considering the period up to the introduction of the GDPR – so any infringement of the DPA98 has not been assessed. In the grand scheme of things, levying an additional £500k for a DPA98 breach would not have been of particular significance and may have made for a far more complicated investigation and report.
As a PCI DSS qualified security assessor, (QSA) the Outsourced DPO was particularly interested in the payment card industry angle to this. The MPN states that Marriott’s reliance on reports on compliance (ROCs) issued by two independent PCI DSS assessors that led Marriott to conclude (albeit erroneously) that access to the card holder environment was appropriately protected, did not constitute a breach Marriott’s obligations under the GDPR. It would seem then that the independent ROCs, which are in effect audit reports to the uninitiated, were accepted as evidence of appropriate security measures being in place – despite them not being sufficiently reliable in the final analysis. An organisational control (the ROC) was effectively implemented to test a technical control (Multi Factor Authentication): but the performance of the organisational control by Marriott’s QSA company (i.e. the testing of the MFA) was flawed.
It’s reassuring that the ICO says hindsight is not an effective methodology for assessing appropriateness of control measures. There are many folks who all too easily jumped on the Marriott-bashing bandwagon. Of note is that having an audit program in place through the PCI DSS ROC was sufficient to provide Marriott with something of a defensible position… well, partially!