UK is Serious about GDPR Violations - Proposes $124 Million Fine Against Marriott
Everyone knows about the General Data Protection Regulation (GDPR). The GDPR is the EU’s new privacy regime in the region. Over a year has passed since its implementation and organizations are discovering how strict EU countries will enforce the law. One main provision of the GDPR is for organizations to have security measures in place that will safeguard private consumer data.
Big Consequences for Big Breaches
The U.K. Information Commissioner’s Office (ICO) is showing the world that it will not go easy on organizations that fail to protect their consumers’ personal data – especially when hackers gain access to the information. On July 9, ICO made headlines with the announcement that the Office intended to impose a very large fine ($124 million) against Marriott International for a data breach it disclosed last year. The fine represents about 2.4 percent of the organization’s annual revenue, though enforcement bodies can impose fines up to 4 percent of an organization’s annual revenue. In 2014, Starwood Hotels Group fell victim to a data breach that compromised about 339 million of their guests’ personal data, including things like passport numbers and contact information. Marriott acquired Starwood as a subsidiary in 2016, but did not discover the breach until two years later. Marriott investigated the breach and discovered that approximately seven million of the victims were U.K. consumers.
Early Detection and Disclosure is Key
When ICO received report of the breach in 2018, it conducted its own investigation into the incident. ICO concluded that if Marriott had looked deeper into Starwood’s past activity before the acquisition, it likely would have discovered the breach years earlier, which would have greatly limited the data vulnerability and risks. ICO further argued that Marriott could have required earlier breach notification and updated security systems before moving forward with the acquisition. The Office stressed the importance of performing sufficient due diligence research into a company’s past in order to have a comprehensive understanding of their existing security practices prior to an acquisition. The Marriott breach also affected many U.S. consumers, however, the U.S. does not have any comprehensive federal privacy law similar to the GDPR. At the state level, California cited this breach as a motivating factor in amending their own data breach notification statute to include more data like passport numbers.
To avoid similar fates, organizations should be proactive about data security and consider the following tips:
- Understand what the GDPR expects when handling private consumer data and implement security practices accordingly.
- Perform adequate due diligence into an organization and their security protocols before moving forward with a corporate acquisition.
- When there is a data breach, immediately disclose it to the appropriate enforcement body, review internal security systems, and update systems where there appear to be deficiencies.
Marriott has updated its security practices since discovering the breach and included the recommendations from the ICO investigation. However, the organization plans to dispute the heavy fine. These high fines seem to be the trend in the U.K., letting organizations know that it will not take violations lightly. In the same week, ICO announced a proposed $230 million fine against British Airways due to a data breach, which is about 1.5 percent of the organization’s annual sales. ICO is also rumored to be working on several other potential fines against GDPR violators. Other EU member states like France and Ireland have taken similar actions against transgressors. Expect to see this trend to continue in the coming months and years. There could be an upswing in how many data breaches that organizations report in attempt to avoid heavy fines. Under the GDPR, an organization must provide breach notification within 72 hours after discovery. The law gives an organization discretion over whether it believes the breach to be harmful enough to consumers to require notification. These heavy fines could make organizations more apt to disclose potential breaches that they previously would have deemed low risk in order to illustrate compliance.