Just a couple of days after announcing the intent to penalize British Airways £183 million or $230 million for a breach that affected 383 million records, the United Kingdom’s Information Commissioner’s Office (ICO) is about to announce another financial penalty involving the violation of GDPR.
ICO announced its intent to penalize Marriott the amount of £99 million or $123 million for a breach discovered in 2018 that involved about 339 million customer records.
The ICO is the GDPR supervisory authority in the U.K. In case of a data breach that affected EU citizen’s information, it is required to report the breach to ICO within 72 hours after discovery. ICO is tasked to investigate data breaches to find out if there was a violation of GDPR rules. ICO likewise investigates consumer complaints related to GDPR violations.
ICO received Marriott’s breach report in September 2018 and investigated the incident. While companies cannot prevent all data breaches, the GDPR requires companies to implement reasonable and proper security measures to lower the risk of a breach to a minimal and tolerable level.
In the case of Marriott’s breach, it occurred at Starwood Hotels & Resorts Worldwide. Hackers were able to access a guest reservation database in 2014. Marriott took over the hotel chain in September 2016, but was unable to identify the compromised database right up until September 8, 2018.
ICO confirmed Marriott did not do adequate research on Starwood Hotels during the negotiation of its acquisition. Marriott ought to have done far more to protect its systems and secure the personal data of its clients.
Information Commissioner Elizabeth Denham said that the GDPR is clear on its regulations that organizations are responsible for the personal information they keep. This entails carrying out the proper research before a corporate acquisition, and having the right accountability measures to evaluate what personal information has been collected, and how it is safeguarded.
Marriott gave its full cooperation with the ICO investigation. It has already re-evaluated its security system and has upgraded its security posture. There are 28 days left for Marriott to appeal the £99,200,396 penalty proposal before ICO finalizes it.