It was predicted that regulators would start to impose bigger GDPR fines after the first year of enforcement, and the ICO has today followed up yesterdays announcement of a £183 million fine for BA by announcing its intention to fine Marriott International £99 million for breaches of GDPR.
In response to Marriott International, Inc’s filing with the US Securities and Exchange Commission the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).
In November 2018 Marriott notified the ICO that personal data in 339 million guest records were exposed, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.
The systems of the Starwood hotels group were believed to have been compromised in 2014, but was not spotted when Marriott acquired Starwood in 2016, hence the ICO found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
Echoing her comments on the BA fine, Information Commissioner Elizabeth Denham issued a statement saying: "The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
Marriott has co-operated with the ICO investigation and can now appeal the proposed findings and penalty before the ICO makes its final decision.
Last week the total value of all GDPR fines across all EU member states totalled €56 million, including a €50 million fine by the French DPA (CNIL) against Google in relation to Google’s use of personal data for personalising advertisements.
Tim Dunton, MD at Nimbus Hosting commented:"Two monumental fines over the course of two days for breaking GDPR guidelines shows the ICO are really starting to take these breaches of security seriously – as they should be. Businesses must begin to understand the power they have when collecting and storing customer data and must face severe consequences when they fail to properly secure this.
"Website security must be the biggest concern for businesses who store personal customer information and they have to begin to ensure they are using a secure system to host their websites."
Ilias Chantzos, senior director government affairs EMEA, Symantec also emailed SC Media UK to comment on how the law will make data protection a boardroom issue, saying: "We knew GDPR had teeth. Now we can see how bad it can bite.
"Yesterday’s £183 million and today’s £99 million fines have solidified GDPR as a very serious piece of legislation, and one that is putting an organisation’s cyber security challenges and budget into an entirely new context.
"For over 40 percent of cyber security professionals a breach is just a matter of time. Consistent stress guarding the gate is understandably amplified by regulatory compliance, and in fact a staggering 86 percent of cyber security professionals underline the impact of new regulations as their most significant source of stress.
"Make no mistake, the EU devised GDPR and regulation such as the NIS Directive to improve the standard of cyber, putting crucial requirements in place to protect consumers, organisations and our critical infrastructure.
"Strong enforcement means CISOs and the boardroom must manage cyber and regulatory risk. This creates a strong business case to improve cyber-security. Regulatory compliance undeniably mandates a major improvement of cyber[security technology and systems, but it is also a significant culture change.
"These fines impact a company, that it and its customers were victim of a cyberattack. It demonstrates the importance of a comprehensive integrated cyber defence to prevent such incidents and to provide not only security, but also auditability and compliance."
Tony Pepper, CEO of Egress adds: "It’s really interesting that the ICO has issued a second intention to fine under GDPR just one day after the BA news broke. They have barely drawn breath between these two announcements that target two very well-known household names, particularly in the UK – and therefore they have achieved maximum impact in showing the potential of their extended powers under GDPR. The scale of both fines can leave no doubt in anyone’s mind that we’re now operating under very different standards than when the Data Protection Act was enforced.
"If it wasn’t clear before, it certainly is now: there can be no hiding place for organisations that fail to adequately protect customer data. If the BA announcement felt like the tip of the GDPR iceberg, the Marriott one has started to show how deep this problem really goes – and what the ICO is willing to do to get to the bottom of it."
Jake Olcott, VP Government Affairs at BitSight, concurs saying: "These fines make it clear - executives and boards are responsible and accountable for cyber-security. It has never been more important for them to understand and manage their organisation's security performance just like they would manage any other critical business issue. When it comes to cyber-security, ongoing briefings, regular reporting, and performance metrics are no longer nice to have -- they are required."
CyberInt’s lead researcher Jason Hill also noted how: "The draconian fines of £183 million imposed on British Airways and the £99 million fine on the Marriott hotel group for the well-publicised data breaches that occurred last year are a wake-up call to all organisations, big and small."
He adds, "Although this may come as a blow to a company such as BA or Marriott, they are robust enough to weather the storm. A smaller organisation suffering a serious breach could find itself overwhelmed by any penalty which, when combined with the loss of consumer confidence and the associated reputational damage -with devastating consequences for its business."