Marriott data breach fine set to hit £99m

Just two days after the announcement of the huge BA data breach fine to the tune of £183m, the Marriott data breach fine is reportedly going to be set at £99m.

These are real statements of intent from the UK’s data watchdog, the ICO (the Information Commissioner’s Office).

When GDPR came into force last year, there was little doubt about the responsibilities that organisations have when it comes to data protection, and the punishments for failure are clear. We’re pleased with the announcement of another huge fine, and as always, we continue to bring the fights for justice for the victims who deserve compensation for the loss of control of their personal information.

Significant Marriott data breach fine

The provisional Marriott data breach fine that’s understood to be set at £99m is another significant GDPR punishment. Before, we had maximum fines of £500,000.00, but now, organisations can be fined up to 4% of their global annual turnover.

The incentive to ensure that data is processed and stored safely is evident. The level of fines that can be issued are enormous, and all organisations need to do is comply with the law.

The Marriott data breach itself was a significant one. Hundreds of millions of records were compromised, of which seven million were understood to belong to UK citizens. The Starwood database had reportedly been compromised since 2014, but discovery of the breach was made years later with the announcement of the problem hitting the headlines in 2018.

The Marriott chain acquired the Starwood chain in 2016, but somewhere along the line, due diligence in terms of cybersecurity wasn’t adequately performed.

How does the fine affect claims for compensation?

It’s important to distinguish the difference between the Marriott data breach fine and claims for data breach compensation. Money from the proposed £99m penalty will usually go to the treasury as it’s not designed to be used for compensation.

Damages claims for the victims is a separate matter. Data breach compensation amounts are based on the extent of any distress and financial loss that has been caused.

What we do is pursue the organisations for compensation, and although the fine is a separate thing to legal action, penalties can help with cases. They show that there has been a clear failure to adhere to important data protection legislation which is a powerful tool in our legal arsenal when it comes to succeeding with compensation action.

Reaction to Marriott data breach fine

The reaction to the Marriott data breach fine has been similar to that of the BA data breach fine. It’s understood that Marriott has expressed that it’s “disappointed” with the findings, which is hard to believe given the circumstances of the particular breach.

In our view, a clear breach of important data protection legislation has taken place, and the proposed fine is more than justified.

Speaking about the £99m fine, Information Commissioner Elizabeth Denham said:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

We continue to monitor the news of further GDPR fines, particularly for those where we’re involved in data breach group actions for compensation.

To find out if you can claim compensation, make sure you get in touch with our legal team today.  

Big GDPR fines and compensation claims

British Airways data breach fine and the compensation action