The UK’s data protection authority has flexed its muscles for a second time in as many days by yesterday issuing a statement of intention to fine Marriott International £99,200,936 for infringements of the General Data Protection Regulation (GDPR).
The Marriott fine follows hot on the heels of the ICO’s proposed record £183,390,000 fine on British Airways only a day earlier. The regulator is sending a clear message that it is willing to use its enhanced fining powers given to it under the GDPR to hand out eye-watering penalties.
The Marriott breach
The breach concerned a hack on Starwood Hotels & Resorts Worldwide, which Marriott acquired in September 2016. Hackers stole data from Starwood’s reservation system, including customer credit card details, passport numbers and dates of birth. The breach took place in 2014, before the acquisition by Marriott, and Marriott only discovered it in November 2018. Marriott is no longer using the compromised Starwood reservation system.
Approximately 339 million guest records globally were compromised, of which around 30 million related to residents of 31 countries in the European Economic Area.
The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities under the ‘one-stop shop’ provisions of the GDPR.
In a statement to the press released yesterday, Marriott’s President and CEO, Arne Sorenson, confirmed that Marriott will be contesting the fine:
“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
Marriott will now have the chance to make representations to the ICO. Data protection authorities in the EU whose residents have been affected will also have the opportunity to comment.
These enormous fines serve as a wake-up call to businesses that the ICO can, and will take, robust action for failures to protect personal data. With a number of significant data breaches currently under investigation, there are likely to be further large fines in the pipeline.
The Marriott fine also shows that the ICO is not only concerned with current data protection breaches; it is prepared to take action over historic and inherited issues too – and, if the issues have continued after GDPR implementation (25 May 2018), to issue GDPR-level fines for them.
Information Commissioner Elizabeth Denham said in the ICO’s statement of intention:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
We are therefore likely to see an increased appetite from companies to conduct thorough data protection due diligence as part of their M&A transactions. Until now, data protection due diligence has often taken a back seat, particularly in acquisitions of non-data-intensive businesses.
Data protection now needs to be top of everyone’s agenda. The ICO means business.