Share this article on:
Just a few days after the UK’s Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183 million ($230 million) for its 383 million-record breach comes another financial penalty for GDPR violations.
ICO has announced its intention to fine Marriott £99 million ($123 million) for its breach of around 339 million customer records, which was discovered in 2018.
The ICO is the UK’s GDPR supervisory authority. When a data breach is experienced that results in the exposure of EU citizen’s data, the breach must be reported to ICO within 72 hours of discovery. ICO investigates data breaches to determine whether GDPR rules were violated. ICO also investigates complaints about GDPR violations from consumers.
After receiving Marriott’s breach report in September 2018, ICO launched an investigation. It is not reasonable to expect companies to be able to prevent all data breaches but, under GDPR, reasonable and appropriate security measures should be implemented to reduce the risk of a breach to a low and acceptable level.
In Marriott’s case, the breach occurred at Starwood Hotels & Resorts Worldwide in 2014 when hackers gained access to a guest reservation database. Marriott purchased the hotel chain in September 2016 but failed to discover the compromised database until September 8, 2018.
ICO determined Marriott had failed to conduct sufficient due diligence on Starwood Hotels when it was negotiating its acquisition, and Marriott should have done more to secure its systems and protect the personal information of its customers.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Marriott cooperated fully with the ICO investigation and has already overhauled its security program and has improved its security posture. Marriott has 28 days to appeal the proposed £99,200,396 fine before ICO makes its final determination. “We are disappointed with this notice of intent from the ICO, which we will contest,” said Arne Sorenson, president and CEO of Marriott.