ICO fines hotelier Marriott £18.4 million – reduced by around £80 million

Posted: November 24, 2020

The Information Commissioner’s Office has fined Marriott International, Inc. £18.4 million – reduced considerably from the circa £99 million fine that the ICO had originally proposed in 2019.

This notable reduction follows the ICO’s further investigation into a massive data security breach that occurred in 2014, a cyber-attack that compromised the security of the personal data of millions of hotel guests over a four-year period.  Before setting a final penalty, the ICO considered representations from Marriott, the steps that Marriott took to mitigate the effects of the breach and the economic impact of Covid-19 on Marriott’s business. 

Class action

Separately from the ICO fine, it now appears that Marriott will be facing a class action from its customers.  Recent filings in the High Court in London reveal that Marriott faces a class action suit for GDPR non-compliance for the same data security breach for which the ICO imposed the fine.

If the class action succeeds, Marriott may have to make multiple pay-outs.  Although individually such pay-outs could be for small amounts, cumulatively they could be substantial.  Even if the class action is unsuccessful, Marriott is likely to incur substantial legal costs in defending it.

Comment

It is worth noting that the fine only relates to Marriott’s breach from 25 May 2018, when new rules under the GDPR came into effect, even though the ICO’s investigation traced the cyber-attack back to 2014.  Also, because the security breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as the lead supervisory authority under the GDPR.

As this case amply demonstrates, even if IT vulnerabilities of a target company have not been uncovered during due diligence, the buyer will, on completion, become fully responsible for ensuring the security resilience of the entire company.  It is also worth noting that, while the ICO will continue to take a hard line on GDPR compliance, it will consider improvements made by the offending entity when taking mitigating factors into account.  Besides, as exemplified in this instance, open co-operation appears to be the best policy. 

This case also illustrates the daunting scale of the IOC’s fining powers and, at the same time, the potential usefulness in challenging an ICO Notice of Intent.  Although it is hard to quantify the impact of making such representations in a given case, the potential value in doing so is exemplified by the notable reduction in this case of more than £80 million from the initial notice.  Still, Marriott will no doubt have incurred considerable legal fees in the process against an uncertain outcome, and it will ultimately be a question of fact in each case whether there is any realistic scope for significant reduction.

Henry Elkington, Associate, Simkins LLP

To read the full article, click here.  Written for Entertainment Law Review.