The U.K.’s data regulator on Friday fined hotel group Marriott International £18.4 million (U.S. $23.8 million) under the EU’s data protection rules for failing to keep millions of customers’ personal data secure. The fine is less than 20 percent of the original number the regulator proposed, the second time this month the Information Commissioner’s Office (ICO) drastically reduced a penalty for a violation of the General Data Protection Regulation (GDPR).
The Marriott fine is the second-highest the ICO has handed out under the GDPR following the £20 million (U.S. $26 million) penalty it hit British Airways with just two weeks ago. And like the BA fine (originally £183.39 million), Marriott’s penalty was heavily discounted from the £99.2 million figure the regulator had in mind when it issued its intention to fine notice in July last year.
“The lack of a clear explanation about how the proposed £99.2 million fine was first calculated gives credibility to claims the ICO just got things wrong 18 months ago.”
Ed Hayes, Legal Director, TLT
Marriott’s woes go all the way back to 2014, when a hacker installed a piece of code known as a “web shell” onto a device to gain access to the IT system owned by Starwood Hotels and Resorts Worldwide—some two years before Marriott bought the hotel chain.
The attack remained undetected until September 2018. The ICO’s penalty only relates to the period after the GDPR came into force—May 2018—up until the breach was reported in November 2018.
Marriott estimates 339 million guest records worldwide were affected. Seven million guest records related to people in the United Kingdom.
The personal data included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status, and loyalty program membership numbers.
The ICO—which investigated on behalf of all other EU data protection authorities—found failures by Marriott to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems, as required by the GDPR.
While the ICO has not made specific reference to why the fine has been cut by more than $100 million, it does point out Marriott acted promptly to contact customers and the ICO; that it took steps to mitigate the effects of the incident and acted quickly to mitigate the risk of damage suffered by customers; and that the company has since implemented a number of measures to improve the security of its systems.
The ICO also considered the economic impact of COVID-19 on Marriott’s business before setting a final penalty.
Marriott has not admitted liability for the breach but has said it does not intend to appeal the ICO’s decision.
In a statement, Marriott said it “deeply regrets” the incident and “wants to reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use.”
Experts have been divided in their opinion of the case. When the ICO issued its intention to fine notice, some pointed out the company had a reasonable justification for feeling it was treated unfairly: Marriott was being fined massively for IT security failings that were present before it even bought Starwood. Indeed, even the ICO in its final decision notice could not determine whether it would have been possible for Marriott to conduct any due diligence of the IT systems during takeover negotiations.
Following the announcement of BA’s fine, lawyers say the cut in the size of the Marriott penalty was hardly surprising if the ICO wanted to show consistency. Some experts have also supported the regulator’s “pragmatic” and “realistic” approach to enforcement.
“Both BA and Marriott are in the travel sector, which has been badly affected by COVID-19. It would be hard to support a regulator that did not substantially reduce the size of the fines given these extraordinary circumstances,” says Camilla Winlo, director of consultancy at specialist data protection and privacy consultancy DQM GRC.
But like the BA case, some lawyers have questioned the size of the discrepancy between the figure cited in the intention to fine notice and the sum the organization was actually fined.
Ed Hayes, legal director at U.K. law firm TLT, says that while the £18.4 million fine “remains a step change in the ICO’s approach to enforcement and a significant deterrent to lax data protection practices,” he believes that “any regulator risks being perceived as weak when there is such a big gap between its original publicly stated intention and the actual fine it levies.”
He adds that “the lack of a clear explanation about how the proposed £99.2 million fine was first calculated gives credibility to claims the ICO just got things wrong 18 months ago.”
Lawyers also believe both cases highlight the need for companies to cooperate with the regulator, mitigate the problems, remediate victims as quickly as possible—and then state their case for a fine reduction.
“The Marriott fine, and the one for BA, clearly shows there is a thorough process to go through following the receipt of an initial ‘intent to fine’ from the ICO,” says Daniel Tozer, head of data and technology at law firm Harbottle & Lewis.
“While there will be no guarantee that a similar reduction could be expected for any company receiving an ‘intent to fine’—after all, each case will be dealt with on its own merits—this should provide some comfort that a company which deals with a breach, the ICO, and those affected properly can expect an appropriate reduction in the fine which might otherwise be levied on them.”