Following on from the Information Commissioner’s Office (ICO) announcement this week that it is imposing a fine of £183 million on British Airways for its data breach in June 2018 the ICO has now announced that it intends to fine hotel chain Marriott £99.2 million for its data breach which was uncovered last year.
Both these investigations by the ICO show that the ICO are not going to be sympathetic to organisations that do not have robust GDPR compliant policies and processes in place even in cases where organisations have been the victim of fraud or illegal hacking. Whilst the fines for these two breaches are huge, and the ICO have likely chosen these cases in order to both generate revenue and grab the headlines, the calculation used to come to these figures is the same for everyone. The ICO have the ability to fine up to 20 million Euros or 4% of annual turnover (whichever is higher) where a breach has occurred and, simply put, the worse the breach (e.g. number of people and type of data affected) and the attitude of the company (e.g. a lax approach to security, failure to provide basic awareness training) then the higher the fine that will be imposed. The same principles apply to all businesses; and while no business wants to be subject to a percentage of turnover fine, the media will focus on the attention grabbing big numbers that invariably come from the bigger businesses. Marriot and BA will invariably ask the question “can we weather this storm” and their sheer size may mean that they can, but the same may not be true for SMEs.
What was the Marriott data breach?
Marriott International bought Starwood Hotels and Resorts Worldwide in 2016.
It was uncovered that approximately 339 million individuals details had been accessed following a hack of the Starwood reservation database. This data included names, addresses, email address, passport information, date of birth and gender, along with other data pertinent to the identification of the booker. The breach goes back to 2014 but was only discovered in 2018.
What happens now?
At the time of writing the ICO has simply indicated its intention to fine Marriott £99.2 million so this may not be the final figure.
Marriott will now have an opportunity to make representations to the ICO as to the proposed findings and the proposed fine. The ICO will then consider the representations made by Marriott and other data protection authorities across Europe whose citizens have been affected by the breach before it makes its final decision.
What can I do to avoid being hit like BA and Marriott?
GDPR compliance applies to all businesses whatever their size. If you have adequate technological and organisational protections in place the ICO is going to be much more sympathetic and lenient if you are the victim of fraud or hacking. These two cases show the importance of ensuring any third party IT providers or reservation systems have adequate security in place.
What if I acquire a new business like Marriott did?
Of particular interest in this investigation is the ICO Commissioner Elizabeth Denham’s views on the fact that Marriott had acquired the Starwood brand stating “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”. This case therefore acts as a reminder of the importance of not only looking at data protection and security in the due diligence process when acquiring a business but also ensuring any flaws uncovered during the due diligence process are followed up and rectified promptly following completion.