UPDATE
ICO was requested the status of this proposed penalties on Nov 12, 2019. ICO issued a response ICO Disclosure Log – Response ENQ0889841: “[Marriott] made representations to the Information Commissioner regarding these notices in accordance with Schedule 16, paragraph 3(3) of the Data Protection Act 2018. The Information Commissioner is considering those representations in deciding whether to give a penalty notice, and the amount of the penalty if a penalty notice is given. ” See more here
——————
In July 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), announced that it intends to fine Marriott International, Inc., for breach of data protection law.
The fine would amount to around $123.000.000.
Approximately 339 million records of Marriot’s guests globally were exposed. Out of these, around 30 million were EEA residents and 7 million UK residents. The cyber incident began in 2014, continued through 2016 when Marriott acquired Starwood in 2016, and was discovered in 2018.
According to the ICO’s investigation, Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
The EU data protection authorities whose residents have been affected will also have the chance to comment on the ICO’s findings, under the General Data Protection Regulation (GDPR) one stop shop mechanism.
The ICO will consider the comments submitted by Marriot and the other DPAs before issuing its final decision.
Marriott International Update on Starwood Reservation Database Security Incident is available at https://www.sec.gov,…
The ICO’s statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach is available at https://ico.org.uk..
For information on international data transfer: Francesca Giannoni-Crystal and Federica Romanelli
If your organization would like to receive assistance on GDPR compliance, feel free to contact us at: http://www.cgcfirm.com/contacts/