The UK’s ICO has reduced the size of a data breach penalty for hotel business Marriott — dropping it to £14.4 million (~$23.8M) in a final penalty notice down from the £99M ($123M) figure that the watchdog initially said it would levy in July 2019.
The fine relates to a data breach suffered by the hotel giant that dates back to 2014 (involving the network of Starwood hotels, which it had acquired in 2015) — but which wasn’t discovered until November 2018.
The personal data involved in the breach differed between individuals but the ICO said it may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
Globally, some 339 million guest records were affected but fewer individuals are thought to have been compromised owing to some of the records being duplicates. The breach is thought to have affected around 30 million users across the EU, per an earlier ICO estimate.
Its investigation found there were failures by Marriott to put “appropriate technical or organisational measures in place to protect people’s data” — as required by the pan-EU General Data Protection Regulation (GDPR) . (The penalty only covers the portion of the breach that dates from 25 May 2018 — when the GDPR came into effect.)
Commenting in a statement, the UK’s information commissioner Elizabeth Denham said: “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
A Marriott spokesperson told us the company “deeply regrets” the incident, adding in a statement: “Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
The hotel giant also confirmed it does not intend to appeal the ICO’s decision (while not making any admission of liability).
The penalty had to be signed off by other EU data protection authorities, under the GDPR’s one-stop-shop mechanism for cross-border cases. And the ICO confirmed it completed the Article 60 process prior to the issuing of the penalty.
One interesting element here is the difference between the initial penalty proposed by the ICO and the final fine.
The GDPR framework greatly increased the potential size of penalties for data breaches, up to a maximum of £20M or 4% of an entity’s global annual turnover (whichever is greater). Prior to that data protection rules existed in the region but could be easily ignored, given puny penalties. The GDPR was supposed to change that.
However, almost 2.5 years since the framework begun being applied, large fines remain rare — with a backlog of major cross-border cases still awaiting decisions.
Regulations may also be concerned about being able to make large sums stick if companies appeal.
The ICO’s initial penalty for the Marriott breach would have been one of the largest fines issued under the GDPR. Today’s haircut revises that. The first figure proposed represented around 3% of the company’s 2018 revenue (circa $3.6BN) — but that’s now shrunk to around 0.6%.
It follows a very similar episode at the ICO over a BA data breach. In July 2019 the regulator said it intended to fine the airliner £183.39M ($230M) for a 2018 data breach that affected some 500,000 customers. But earlier this month it issued a final penalty to BA of just £20M ($25.8M).
In both cases the impact of the coronavirus appears to be playing some part in explaining why the ICO has reduced the size of the penalties. Although the pandemic might be something of a useful scapegoat given the substantial size of the reductions involved. (The regulator has also used it to ‘pause’ any action over major adtech complaints, for example.)
All the ICO has to say vis-a-vis Marriott’s penalty haircut is that it “considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty”.
On the reduction in the size of the penalty Marriott told us it reflects “extensive mitigating measures” it put in place following the security incident — noting that it established a dedicated website to provide information to concerned guests; opened a dedicated helpline; and sent “millions” of email notifications to individuals whose information was involved in the breach. It also said it offered guests the opportunity to sign up for a personal information monitoring service where it was available.
The ICO similarly took representations from BA after issuing its initial intention to fine — and ended up making a small discount as a result, per our report, though we reported that the lion’s share of the BA reduction was due to revising how much blame it had placed on the airline for the breach.
Asked for a view on the ICO’s penalty haircuts, Tim Turner, a UK based data protection trainer and consultant, agreed that the coronavirus looks like a handy scapegoat.
“I’m not accusing the ICO of feeding misunderstanding but the impression that these reduced fines are down to the pandemic is very helpful to them,” he told TechCrunch. “They plainly miscalculated both the BA and Marriott fines by a huge margin, and they don’t really deny it. The notices just skate over that on the basis that the original mistake has been rectified so it doesn’t matter.
“The ICO were proposing fines way beyond anything in the EU on the basis of a draft, unpublished procedure. They ought to account for that rather than letting everyone think this is a big COVID-19 discount.”