The ICO have issued a fine against Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure.
The fine against Marriott International comes after the Information Commissioner’s Office (ICO) released an enforcement notice against Experian for improper use of individuals’ data.
Why has the ICO issued a fine against Marriott International?
In short, a technological shortcoming allowed software to be installed within a network that allowed an unknown attacker access to some 300 million guest records. Full details of the breach can be found here.
It is almost certain that further fines of this value will be issued against organisations who have had similar breaches – this does not bode well for the hospitality industry.
The decision is full of lessons for business, and shows that the ICO are not shying away from issuing substantive fines.
Two key messages businesses should take from this:
#1 – Don’t skimp on your technological and organisational measures
Keeping software up to date and having appropriate levels of security is paramount; that level will be higher the more data you hold (and also dependant on the risk to the rights and freedoms of data subjects if that data is subject to a breach). Beyond the practical “is it secure”, contracts should back this up with guarantees and indemnities.
#2 – Don’t skip due diligence
For Marriott, the fine arose from a Starwood Hotels and Resorts Worldwide Inc, who were subject to the attack in 2014. Through acquisition, Marriott are now having to pick up their cheque book. Due diligence should have been a legal and technological exercise with a forensic examination of the systems used and responsibilities of those supporting Starwood.
Stephens Scown have a dedicated data protection team who can assist with any organisation data protection matters. Contact us today for further information.