Following hot on the heels of the announcement of a £20m fine for BA, the Information Commissioner’s Office (ICO) issued a final penalty of £18.4m on Marriott International last Friday. Once again, this has been a long-running saga including, as with BA, the proposal last year of a much larger fine of £99m. It also brings the total number of fines issued by the ICO under GDPR to 3 (compared to over 20 fines issued already in Romania).
The case is a complex one, involving a cyber-attack on Starwood Hotels and Resorts Worldwide in 2014; which remained undetected until September 2018, by which time the company had been acquired by Marriott. The fine announced by the ICO only relates to the period after GDPR came into force in May 2018, so it is difficult to be clear how many customers or records were taken into account in deciding on the size of the penalty (the headline figures are a total of 339 million guest records involved globally, including 7 million in the UK).
As ever, a variety of other factors were taken into consideration; in particular the speed with which Marriott contacted customers as soon as they became aware of the problem, the steps they took to reduce the risk to customers and the improvements that they have made to information security were cited as mitigating factors. As with BA though, part of the huge reduction from the proposed fine may simply be a reflection of the devastating effect of Covid-19 on the travel sector; making the original fine unaffordable in the current environment.
As we said earlier, this is only the third fine issued by the ICO, and two of these fines have involved firms in the travel sector that have been badly impacted by Covid-19. We are therefore still some way from having a clear idea of what the “going rate” for GDPR breaches is going to be.