Hot off the heels of the intended fine that the Information Commissioners Office intends to levy British Airways, Marriott International will be feeling the same wrath of the ICO – with its intent to fine Mariott over £99 million.
The full amount the ICO is intending to find Marriott International is £99,200,396 for infringements of the General Data Protection Regulation (GDPR).
This dates back to a data breach with Marriott notified to the ICO in November 2018
Personal data was in this, with around 339 million guest records globally exposed. Further splits indicate 30 million related to residents of 31 countries in the European Economic Area (EEA) and Seven million related to UK residents.
The ICO’s reasoning indicates that this could be traced back to the purchase of Starwood by Marriott – whose systems were compromised in 2014, and not discovered until 2018, with Marriott failing to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
Information Commissioner Elizabeth Denham said:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
This will NOT be the last
If the message wasn’t loud and clear before from the intended British Airways fine, it should be clear now. If you hold data, you have a responsibility and a duty of care of that data.
With a fine of up £10 million to 4% of GLOBAL revenue – whichever is greater, the onus is on companies to ensure their systems are secure, as is how they handle data. Indeed, the Romanian data protection regulator is planning to leavy a fine with another hotel.
For companies, the message is clear and simple: Protect your data and ensure your processes are secure, or you will be made an example of.
Remember, GDPR allows for up to £10m/4% of global revenue fines (whichever is greater).
I’m going to be blunt: Expect more to come.
— Kevin – Economy Class & Beyond (@EconomyBeyond) July 9, 2019
Expect regulators and data protection officers to clamp down – hard.
Welcome to Economy Class and Beyond – Your no-nonsense guide to network news, honest reviews, with in-depth coverage, unique research as well as the humour and madness as I only know how to deliver.