Marriott International, the multinational hotel chain, is facing a £99.2 million fine for non-compliance with data protection laws following a 2018 cyber attack that exposed personal data on 339 million guest records.
The Information Commissioner’s Office (ICO) notified Marriott of its intentions just days after levelling a record £183 million fine against British Airways (BA) for a similar data breach last year.
The penalties are some of the first to be issued under new EU General Data Protection Regulation (GDPR) rules, which allow the UK watchdog and other supervisory authorities to fine companies up to 4% of their annual turnover.
Previous data protection laws, which were in place until May 2018, capped any fine at a maximum of £500,000.
The Marriott breach is believed to have begun when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.
Catastrophe risk modeller AIR Worldwide has already estimated that the attack on Marriott could result in an insurable loss of up to $600 million.
However, as with British Airways, it is unclear whether Marriott will have to shoulder the full cost of the fine itself, or whether it can offload some of the damage via its re/insurance coverage.
The legality of insuring GDPR fines remains a grey area in the UK, with fines for criminal or quasi-criminal conduct excluded for public policy reasons.
The ICO, however, has not yet specified if insurance coverage is ruled out on its fines, meaning incidents are generally being treated on a case by case basis.
While it may not be protected against the cost of the fine itself, Marriott could potentially recover other costs related to GDPR compliance, such as forensics, breach notification, breach support services, legal liability to pay damages to impacted data subjects, and defending legal and/or regulatory actions.
The ICO justified the fine by arguing that Marriott had “failed to undertake sufficient due diligence when it bought Starwood,” adding that it “should also have done more to secure its systems.”
“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset,” Denham explained. “If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
The ICO acknowledged that Marriott has co-operated throughout the investigation and made improvements to its security arrangements since the breach was identified.
The company will now have an opportunity to make representations to the ICO regarding the sanction, which the ICO said it would consider before making its final decision.
“We are disappointed with this notice of intent from the ICO, which we will contest, said Arne Sorenson, Marriott International’s President and CEO.
“We deeply regret this incident happened,” he added. “We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
Analysts at Fifth Step have suggested that GDPR fines of this size could be just the beginning for data privacy regulation, with soon to be enforced legislation in the U.S potentially ramping up penalties even further.