ICO’s Proposed $123 Million Penalty to Marriott for its GDPR Violation

Just a few days after expressing the intention to issue a penalty to British Airways the amount of £183 million ($230 M) for its 383-million records breach, the United Kingdom’s Information Commissioner’s Office (ICO) is again announcing yet another financial penalty to a GDPR violator.

ICO expressed its proporal to fine Marriott the sum of £99 million ($123 M) for a 2018 breach that affected around 339 million customer records.

The ICO is in charge of supervising compliance with the GDPR in the U.K. In the event of a data breach of EU citizen’s data, it is mandatory for the company to report the incident to ICO in 72 hours after knowing about the breach. It is the duty of ICO to investigate data breaches and see if an entity violated the GDPR rules. ICO additionally investigates complaints pertaining to GDPR violations filed by consumers.

ICO investigated the Marriott’s breach after receiving its breach report in September 2018. Although it is impossible for companies to stop all data breaches, the GDPR demands that companies should put in place reasonable and appropriate security procedures to reduce the risk of a data breach to a small, tolerable level.

Marriott’s data breach transpired at Starwood Hotels & Resorts Worldwide in 2014. The guest reservation database was accessed by hackers. Marriott started managing the hotel chain only in September 2016. But it was only in September 8, 2018 when Marriott discovered the compromised database.

According to ICO, Marriott failed to study Starwood Hotels sufficiently prior to negotiating its acquisition. Marriott should have undertaken more efforts to secure its systems and protect its clients personal information.

Information Commissioner Elizabeth Denham reiterated that the GDPR has clear regulations regarding the responsibility of organizations in protecting the personal data they hold. onto This involves doing sufficient research prior to a business acquisition, and having the proper accountability steps to examine the collection of personal information and its protection.

Marriott cooperated very nicely with the ICO investigating team. It has already re-examined its security network and enhanced its security posture. Marriott still has 28 days to appeal the £99,200,396 fine notice before it becomes finalized.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA