Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

UK watchdog reduces Marriott data breach fine to $23.8M, down from $123M

The UK’s ICO has reduced the size of a data breach penalty for hotel business Marriott — dropping it to £14.4 million (~$23.8M) in a final penalty notice down from the £99M ($123M) figure that the watchdog initially said it would levy in July 2019.

The fine relates to a data breach suffered by the hotel giant that dates back to 2014 (involving the network of Starwood hotels, which it had acquired in 2015) — but which wasn’t discovered until November 2018.

The personal data involved in the breach differed between individuals but the ICO said it may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.

Globally, some 339 million guest records were affected but fewer individuals are thought to have been compromised owing to some of the records being duplicates. The breach is thought to have affected around 30 million users across the EU, per an earlier ICO estimate.

Its investigation found there were failures by Marriott to put “appropriate technical or organisational measures in place to protect people’s data” — as required by the pan-EU General Data Protection Regulation (GDPR). (The penalty only covers the portion of the breach that dates from 25 May 2018 — when the GDPR came into effect.)

Commenting in a statement, the UK’s information commissioner Elizabeth Denham said: “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

A Marriott spokesperson told us the company “deeply regrets” the incident, adding in a statement: “Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”

The hotel giant also confirmed it does not intend to appeal the ICO’s decision (while not making any admission of liability).

The penalty had to be signed off by other EU data protection authorities, under the GDPR’s one-stop-shop mechanism for cross-border cases. And the ICO confirmed it completed the Article 60 process prior to the issuing of the penalty.

One interesting element here is the difference between the initial penalty proposed by the ICO and the final fine.

The GDPR framework greatly increased the potential size of penalties for data breaches, up to a maximum of £20M or 4% of an entity’s global annual turnover (whichever is greater). Prior to that data protection rules existed in the region but could be easily ignored, given puny penalties. The GDPR was supposed to change that.

However, almost 2.5 years since the framework begun being applied, large fines remain rare — with a backlog of major cross-border cases still awaiting decisions.

Regulations may also be concerned about being able to make large sums stick if companies appeal.

The ICO’s initial penalty for the Marriott breach would have been one of the largest fines issued under the GDPR. Today’s haircut revises that. The first figure proposed represented around 3% of the company’s 2018 revenue (circa $3.6BN) — but that’s now shrunk to around 0.6%.

It follows a very similar episode at the ICO over a BA data breach. In July 2019 the regulator said it intended to fine the airliner £183.39M ($230M) for a 2018 data breach that affected some 500,000 customers. But earlier this month it issued a final penalty to BA of just £20M ($25.8M).

In both cases the impact of the coronavirus appears to be playing some part in explaining why the ICO has reduced the size of the penalties. Although the pandemic might be something of a useful scapegoat given the substantial size of the reductions involved. (The regulator has also used it to ‘pause’ any action over major adtech complaints, for example.)

All the ICO has to say vis-a-vis Marriott’s penalty haircut is that it “considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty”.

On the reduction in the size of the penalty Marriott told us it reflects “extensive mitigating measures” it put in place following the security incident — noting that it established a dedicated website to provide information to concerned guests; opened a dedicated helpline; and sent “millions” of email notifications to individuals whose information was involved in the breach. It also said it offered guests the opportunity to sign up for a personal information monitoring service where it was available.

The ICO similarly took representations from BA after issuing its initial intention to fine — and ended up making a small discount as a result, per our report, though we reported that the lion’s share of the BA reduction was due to revising how much blame it had placed on the airline for the breach.

Asked for a view on the ICO’s penalty haircuts, Tim Turner, a UK based data protection trainer and consultant, agreed that the coronavirus looks like a handy scapegoat.

“I’m not accusing the ICO of feeding misunderstanding but the impression that these reduced fines are down to the pandemic is very helpful to them,” he told TechCrunch. “They plainly miscalculated both the BA and Marriott fines by a huge margin, and they don’t really deny it. The notices just skate over that on the basis that the original mistake has been rectified so it doesn’t matter.

“The ICO were proposing fines way beyond anything in the EU on the basis of a draft, unpublished procedure. They ought to account for that rather than letting everyone think this is a big COVID-19 discount.”

Comments

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio...

Drone crash near kids leads Swiss Post and Matternet to suspend autonomous deliveries

A serious crash by a delivery drone in Switzerland have grounded the fleet and put a partnership on ice. Within a stone’s throw of a school, the incident raised grim possibilities for the possibilities of catastrophic failure of payload-bearing autonomous aerial vehicles. The drones were operated by Matternet as part of a partnership with the Swiss Post (i.e. the postal service), which was using the craft to dispatch lab samples from one medical center for priority cases. As far as potential applications of drone delivery, it’s a home run — but twice now the craft have crashed, first with a soft landing and the second time a very hard one. The first incident, in January, was the result of a GPS hardware error; the drone entered a planned failback state and deployed its emergency parachute, falling slowly to the ground. Measures were taken to improve the GPS systems. The second failure in May, however, led to the drone attempting to deploy its parachute again, only to sever the line...

How the world’s largest cannabis dispensary avoids social media restrictions

Planet 13 is the world’s largest cannabis dispensary. Located in Las Vegas, blocks off the Strip, the facility is the size of a small Walmart. By design, it’s hard to miss. Planet 13 is upending the dispensary model. It’s big, loud and visitors are encouraged to photograph everything. As part of the cannabis industry, Planet 13 is heavily restricted on the type of content it can publish on Instagram, Facebook and other social media platforms. It’s not allowed to post pictures of buds or vapes on some sites. It can’t talk about pricing or product selection on others.   View this post on Instagram   A post shared by Morgan Celeste SF Blogger (@bayareabeautyblogger) on Jan 25, 2020 at 7:54pm PST Instead, Planet 13 encourages its thousands of visitors to take photos and videos. Starting with the entrance, the facility is full of surprises tailored for the ‘gram. As a business, Planet 13’s social media content is heavily restricted a...