ICO proposes second GDPR fine in two days

The ICO has issued its second notice of intention to impose a huge fine over GDPR breaches. It has notified Marriott International Inc that it intends to fine them over £99.2 million for data breaches. The notice came one day after the ICO published a notice that it intended to fine British Airways more than £183 million. 

How did the GDPR breach at Marriott occur?

Marriott’s breach arose following a cyber security incident. This reportedly took place in 2014, when Starwood hotels group’s systems were compromised.  Personal data contained in around 339 million guest records was exposed. Around 30 million of these related to EEA residents, including seven million UK residents. 

Marriott acquired Starwood in 2016. However, they did not discover the exposure of customer information until 2018.

The ICO concluded that Marriott failed to undertake sufficient due diligence when acquiring Starwood. It also felt Marriott should have done more to secure its own systems. 

Marriott now has 28 days to appeal and make representations before the sanction is finalised.

What are the implications of the ICO fine on Marriott and other businesses?

The ICO faced a backlog of work following the GDPR’s introduction. Now that it has issued its second notice of intention in two days, it appears it is reaching the end of its first major GDPR investigations. 

While Marriott International Inc are based in the US, they were caught by the GDPR because the data breach concerned millions of EEA citizens. 

As with the ICO’s notice to British Airways, this fine is huge and dwarfs the maximum penalty under the previous law (£500,000 under the Data Protection Act 1998). While far below the maximum possible penalty of 4% of Marriott’s annual global turnover, the proposed fine is significant. For large organisations, 4% of annual global turnover can eclipse by far the alternative maximum penalty of €20 million. 

This data breach happened before Marriott acquired Starwood. They have since phased out the guest reservation system in question. Marriott cooperated with the ICO in its investigations and improved its security systems. However, this was not enough to escape a fine. The ICO is sending a clear message to organisations that they must safeguard personal data they hold.

When conducting corporate transactions, due diligence is key. Parties should include indemnities for data breaches to cover scenarios like this. 

We will wait to see if the ICO reduces the fine once Marriott has made its representations. However, it seems clear that the ICO is willing to utilise the higher fines under the GDPR where personal data is compromised.