Hotel balcony at tropical resort

When the GDPR went into effect last May, many in the industry questioned how strict enforcement would be. As of February this year, the EU had only issued 91 fines across 59,000 data breaches.

At the beginning of the year, Lev Lesokhin, EVP strategy and analytics at Cast Software, predicted that how the EU handles the Marriott breach would be the “first big test of the GDPR penalties and what the European Union is going to do there.”

Marriott is now dealing with the repercussions of the data breach it suffered in November 2018. On Tuesday, the Information Commissioner’s Office (ICO) announced that it is fining the company £99 million (USD$124 million) for breaching the GDPR.

GDPR one year later: Slow compliance, lax enforcement
California Consumer Privacy Act follows in the GDPR’s footsteps
CNIL proposes €50 million fine against Google for GDPR violations

During the breach, attackers exposed 339 million guest records. Thirty million of the records belonged to residents of countries in the European Economic Area. In addition, seven million UK residents had their information exposed.

According to the ICO, the vulnerability dates back to 2014, when there was a breach in Starwood’s systems. Marriott acquired Starwood in 2016, but did not discover the data exposure until 2018.

The ICO’s investigation into the incident “found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems,” it wrote in a statement. According to the ICO, Marriott has improved its security operations since the breach occurred.

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” Information Commissioner Elizabeth Denham wrote in the statement.

Divya Gupta, partner at law firm Dorsey & Whitney and privacy regulation expert, believes these fines are a signal to other companies that the GDPR is being strictly enforced, something that has been questioned given the EU’s slow response to incidents thus far. “The fines are intended to encourage compliance because when entrusted with personal data, it’s a company’s job to diligently look after it, and for many years [they] have gotten away with not doing so. More important than the headline-making penalties themselves, however, is the exposure of 339 million guest records globally, including 30 million Europeans.”

Gupta also recommends that companies doing business in the EU should also be looking at their American operations. California will be implementing a similar regulation to the GDPR in 2020. “While 30 million Europeans were impacted, even if 10% of that number were California residents — 3 million — Marriott would be looking at $300,000,000 in domestic statutory penalties at a minimum for failure to enact reasonable security practices and procedures,” Gupta said. For companies looking for the lesson here — this GDPR penalty is a paltry sum, compared to what is looming.”