The UK ICO has reduced the privacy breach penalty for the hotel company Marriott and lowered it to £ 14.4 million (~ $ 23.8 million) in a final criminal complaint after the watchdog originally paid £ 99 million ( $ 123 million) announced its release in July 2019.
The fine relates to a 2014 data breach by the hotel giant (which involved the network of Starwood hotels, acquired in 2015), but it wasn't discovered until November 2018.
The personal information involved in the breach varied from person to person, but the ICO stated it may include names, email addresses, phone numbers, unencrypted passport numbers, arrival / departure information, guest VIP status and loyalty program membership number to have.
Around 339 million guest records were affected globally, but it is believed that fewer people were compromised because some of the records were duplicated. According to an earlier ICO estimate, the breach is expected to have affected around 30 million users across the EU.
The investigation revealed that Marriott had not taken any “appropriate technical or organizational measures to protect personal data” – as prescribed in the EU-wide General Data Protection Regulation (GDPR). . (The penalty only applies to the portion of the May 25, 2018 violation – when the GDPR went into effect.)
In a statement, UK Information Commissioner Elizabeth Denham said: "Millions of people have been affected by Marriott's failure. Thousands contacted a hotline and others may have had to take steps to protect their personal information because the company they trusted did." If a company doesn't maintain customer data, the impact isn't just a potential fine. Most importantly, the public whose data they need to protect. "
A spokesperson for Marriott told us that the company “deeply regrets” the incident and added, “Marriott remains committed to the protection and security of its guests' information and continues to invest heavily in security measures for its systems. The ICO recognizes the steps that Marriott has taken after discovering the incident to promptly inform and protect the interests of its guests. "
The hotel giant also confirmed that it does not intend to appeal the ICO's decision (without admitting liability).
The penalty had to be signed by other EU data protection authorities as part of the GDPR's one-stop-shop mechanism for cross-border cases. And the ICO confirmed that it completed the Article 60 process prior to imposing the penalty.
An interesting element here is the difference between the initial penalty proposed by the ICO and the final fine.
The GDPR framework has significantly increased the potential level of data breach penalties, up to a maximum of £ 20 million, or 4% of a company's annual global revenue, whichever is greater. Before that, the region had data protection regulations, but given the low penalties they could easily be ignored. The GDPR should change that.
However, almost 2.5 years into the implementation of the framework, large fines remain rare – a backlog of important cross-border cases is still awaiting decisions.
Regulations can also be concerned about large amounts of money getting stuck when companies object.
The ICO's initial penalty for violating Marriott would have been one of the largest fines imposed under the GDPR. Today's haircut revises that. The first proposed figure was around 3% of the company's sales in 2018 (around $ 3.6 billion) – but that's now down to around 0.6%.
What follows is a very similar episode at the ICO about a BA data breach. In July 2019, the regulator said it intended to fine the airliner £ 183.39 million (US $ 230 million) for a 2018 data breach that affected around 500,000 customers. However, earlier this month BA was given a final fine of just £ 20 million ($ 25.8 million).
In both cases, the impact of the coronavirus appears to play a role in explaining why the ICO has reduced the size of the penalties. Although, given the significant size of the reductions involved, the pandemic could be a useful scapegoat. (The regulator has also used it to stop action on major adtech complaints, for example.)
All the ICO has to say about Marriott's penalty cut is that it “has taken into account the representations of Marriott, the steps Marriott has taken to assess the impact of the incident and the economic impact of COVID-19 on their business mitigate before a final sentence is imposed ”.
Regarding the reduction in the fine, Marriott advised us that it was “major mitigation measures” that were in place following the security incident. A dedicated website was set up on which affected guests can be informed. opened a special hotline; and "millions" of email notifications sent to people whose information was involved in the violation. It also offered guests the option to sign up for a personal information monitoring service, if available.
The ICO also took statements from BA after expressing its original intent on the fine – and, according to our report, granted a small discount, although we reported that the lion's share of the BA reduction was due to it revising the blame for it placed the violation with the airline.
Tim Turner, a UK-based privacy trainer and consultant, thought the coronavirus looked like a practical scapegoat.
"I'm not blaming the ICO for having misunderstandings about feeding, but the impression that these reduced fines are due to the pandemic is very helpful to them," he told TechCrunch. "They clearly miscalculated both BA and Marriott's fines and don't really deny it." The notes just think about fixing the original bug, so it doesn't matter.
“Based on a draft unpublished procedure, the ICO proposed fines that go well beyond anything in the EU. You should take that into account instead of making everyone believe this is a big COVID-19 discount. "