ICO bares its teeth on customer data breaches with fines totalling £282m

With the fines imposed by the ICO increasing both in number and in size, data protection will continue to feature strongly on the risk agenda for all organisations.

11 July 2019

The Information Commissioner’s Office (ICO) has announced its intention to fine global hotel group Marriott International Inc. more than £99 million for a data breach that occurred between 2014 and 2018. 

Approximately 339 million guest records were compromised in the incident, with records containing a variety of payment details, contact details and passport numbers, including those of approximately 30 million residents living within the European Economic Area and seven million UK residents. 

According to the ICO, the incident stems from Marriott’s acquisition of Starwood Hotels in 2016. Starwood’s systems were believed to have been compromised some time in 2014. The theft of customer data was not uncovered or reported to the ICO until 2018.

The penalty imposed on Marriott International follows the ICO’s proposed record fine of British Airways announced earlier this week, amounting to £183 million and representing 1.5% of British Airways’ worldwide annual turnover.

The BA fine is the first major monetary charge to be proposed by the ICO under the General Data Protection Regulation, in which charges can be as high as 4% of worldwide turnover. Prior to this, the largest fine imposed by the ICO was £500,000 – the maximum permitted under the Data Protection Act 1998 – on Facebook, for its involvement in the Cambridge Analytica scandal. 

On a European level, Google has had the largest data protection-related fine to date – amounting to €50 million – from the French data protection agency, CNIL. The CNIL had stated that Google failed to meet the transparency requirements under the General Data Protection Regulation, and had also failed to provide a legal basis for its processing activities.

Both Marriott and British Airways have announced their intention to contest the proposed fines, but this is a serious reminder to organisations of the need for data protection compliance

With the fines imposed by the ICO increasing both in number and in size, coupled with the risk of claims for compensation by data subjects affected by security breaches, data protection will continue to feature strongly on the risk agenda for all organisations.

If you need advice on data protection or personal data breaches, please contact our expert team.