The Information Commissioner’s Office (ICO) has fined Marriott International Inc (Marriott) £18.4 million for breaching its data security obligations under the GDPR. The amount of the fine actually imposed is a significant reduction on the £99,200,396 million the ICO announced it intended to fine Marriott back in July. In imposing the fine the ICO has considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.
The fine imposed by the ICO demonstrates the importance of carrying out a thorough due diligence when making a corporate acquisition and, in particular, as part of the due diligence exercise ensuring that an assessment is carried out into how personal data is protected.
The breaches left about 339 million guest records worldwide exposed to a cyber-attack on Starwood Hotels and Resorts Worldwide Inc’s (Starwood) reservation database in 2014. Marriott acquired Starwood in 2016, but the exposure of customer data was only discovered in 2018, at which time Marriott notified the ICO and updated its systems.
Information Commissioner, Elizabeth Denham, said:
“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
If you require any advice on Data Protection or GDPR matters, please get in touch with Ann-Maree Blake.
Please note – this article does not constitute legal advice.