On July 9, 2019, the UK Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 (approximately $124 million) for infringements of the EU General Data Protection Regulation (“GDPR”). The ICO’s announcement followed Marriott’s notification of the proposed fine to the U.S. Securities and Exchange Commission (“SEC”).
The ICO stated that the proposed fine followed an extensive investigation into a cyber incident that was notified by Marriott to the ICO on November 2018. Personal data relating to approximately 339 million guest records were exposed during the breach, including 30 million records related to EEA residents. Seven million of these were related to UK residents.
According to the ICO, the vulnerability began in 2014 when systems of the Starwood hotels group, acquired by Marriott in 2016, were compromised. The exposure of customer information was not discovered until two years after the acquisition. The ICO found that Marriott failed to undertake appropriate due diligence during the acquisition and should have gone further in protecting its systems.
Information Commissioner Elizabeth Denham commented: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Marriott stated in its SEC filing that it intends to contest the proposed fine and is “disappointed” with the action taken by the ICO, adding that it takes the privacy and security of guest information very seriously.
This proposed fine follows closely on the heels of the record £183 million ($230 million) fine proposed against British Airways and announced by the ICO only one day prior. This enforcement action is only the second under the GDPR to be publically announced by the ICO.
The ICO has investigated the incident as Marriott’s lead supervisory authority under the GPDR’s “one stop shop” system. Data protection authorities in other EU Member States with residents who have been affected by the incident will have an opportunity to comment on the ICO’s findings before a final decision is made.