After sending a chill through the European business community on Monday by levying a record $230 million fine on British Airways for a June 2018
data breach, the U.K.'s Information Commission Office has announced its intent to
pursue Marriott International with a $123 million penalty under the EU's
General Data Protection Regulation for the hacking incident the hotel giant
announced in November 2018.
Marriott's data issues began in 2014 in a system operated by
Starwood. Marriott inherited the breach when it acquired Starwood in 2016. Critics,
including the U.K. data security watchdog, say Marriott failed in its due
diligence, allowing the hack to go unchecked for years as the companies merged
their systems.
Ultimately, the breach exposed personal information of 339
million consumers, including 18.5 million encrypted passport numbers, 5 million
unencrypted passport numbers, more than 9 million encrypted payment card
numbers and 385,000 payment cards still live when Marriott disclosed the breach
in November. According to the ICO, 30 million European consumers were affected.
In a statement posted on the ICO website, commissioner
Elizabeth Denham called out Marriott for its lack of data due diligence and cautioned
any company that might have similar lapses of the commission's intent to enforce
the GDPR.
"Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public," she wrote.
In a securities and exchange filing, Marriott emphasized the fine has been proposed by the ICO and that the hotel company has the right to respond before the ICO can formally impose it. Further, Marriott president and CEO Arne Sorenson voiced his opposition to the ICO's decision to pursue the penalty even as the hotel company has cooperated with the commission's investigation.
"We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database."
The filing noted that the affected database was no longer used for Marriott business operations.
RELATED: Marriott's Plans for Data Protection
Are More Fines on the
Way for Travel Companies?
GDPR fines for data breaches can range up to 10 million euro
or 2 percent of a company's annual global revenue, whichever is greater. While
the fines for BA and Marriott sound high, the ICO has not exhausted its fining
power, according to Samantha Simms, a London-based attorney who specializes in
corporate data security and is the senior partner and founder of The
Information Collective.
"The
183 million pound [US$230 million] fine was just 1.5 percent of [BA parent company]
IAG's annual global turnover," she said. "The ICO warned us big fines
are coming. It is making a clear statement to organizations and other data
protection authorities. With Brexit looming and the [country potentially then]
falling outside of the EU data protection regime, the U.K. will need to prove
that it maintains a high standard of GDPR compliance. Hefty fines are a
great way to achieve this."
Asked
whether the travel industry is uniquely prone to data breaches, Simms demurred.
"It's not that the industry is uniquely positioned, but it is a personal-data-rich
industry, making it ripe for picking. Prudent travel companies will use this as
a warning and an opportunity." Simms advised travel companies to review
their data collection and retention to ensure they have no more data than is
necessary and to check the controls they put in place for GDPR and other data
privacy laws to be certain that they are "living and breathing compliance."
Further,
she said, travel managers should expect their travelers to be aware of the potential
for data breaches at supplier airlines and hotels, even those mandated under
the travel program. If a data breach does occur, there are standard
precautions that both travel managers and travelers can take.
"This
is just the beginning. We should expect more fines of this nature from the ICO
and other EU data protection authorities as they continue to show that the GDPR
is a law with real teeth," said Simms. "We should also expect fines
from regulators and class action cases outside of the EU as data privacy continues
to be a key issue globally."