HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

ICO Proposes $123 Million GDPR Fine for Marriott

Just a few days after the UK’s Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183 million ($230 million) for its 383 million-record breach comes another financial penalty for GDPR violations.

ICO has announced its intention to fine Marriott £99 million ($123 million) for its breach of around 339 million customer records, which was discovered in 2018.

The ICO is the UK’s GDPR supervisory authority. When a data breach is experienced that results in the exposure of EU citizen’s data, the breach must be reported to ICO within 72 hours of discovery. ICO investigates data breaches to determine whether GDPR rules were violated. ICO also investigates complaints about GDPR violations from consumers.

After receiving Marriott’s breach report in September 2018, ICO launched an investigation. It is not reasonable to expect companies to be able to prevent all data breaches but, under GDPR, reasonable and appropriate security measures should be implemented to reduce the risk of a breach to a low and acceptable level.


    GDPR Compliance Checklist
    for American Companies

    Immediate Access
    Privacy Policy

    In Marriott’s case, the breach occurred at Starwood Hotels & Resorts Worldwide in 2014 when hackers gained access to a guest reservation database. Marriott purchased the hotel chain in September 2016 but failed to discover the compromised database until September 8, 2018.

    ICO determined Marriott had failed to conduct sufficient due diligence on Starwood Hotels when it was negotiating its acquisition, and Marriott should have done more to secure its systems and protect the personal information of its customers.

    “The GDPR makes it clear that organizations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

    Marriott cooperated fully with the ICO investigation and has already overhauled its security program and has improved its security posture. Marriott has 28 days to appeal the proposed £99,200,396 fine before ICO makes its final determination. “We are disappointed with this notice of intent from the ICO, which we will contest,” said Arne Sorenson, president and CEO of Marriott.

    Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.