You can be fined 4% of your annual revenue!
Marriott parent Starwood Properties had its reservation system hacked and leaked 339 million records, five million passport numbers, eight million credit card numbers. The company was unaware of the breach for a full four years!
In two days the ICO has fined a third of a billion dollars and the week still has three more days in it.
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Marriott’s chief executive Arne Sorenson, in a statement. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
Under the new GDPR regime, the ICO has the right to fine up to four percent of a company’s annual turnover. Given Marriott made about $3.6 billion in revenue during 2018, the ICO’s fine represents about 3 percent of the company’s global revenue.
Update: Total 2018 Marriott revenue was $20.75B.
Divya Gupta is a partner at the international law firm Dorsey & Whitney and guides clients through complex and changing privacy laws and internet regulations. Divya is on the cutting edge of GDPR and the California Consumer Privacy Act (CCPA) and says this fine should be a wake up call or companies who have not only operations in the UK, but in the U.S. as well,
“Marriott faces huge fines for a GDPR breach this week, a signal to other companies that the regulatory bodies are strictly enforcing the law to protect consumer personal data. These steep fines to Marriott are a warning to companies that fail to protect this private information from loss, damage or theft. The fines are intended to encourage compliance because when entrusted with personal data, it’s a company’s job to diligently look after it, and for many years have gotten away with not doing so,” Gupta says.
“With further fines like this one on the horizon, companies doing business in the EU should also look to their American operations. With several states imposing privacy laws in the United States, with California leading the pack with the California Consumer Privacy Act, this means possible future penalties for non-compliance now. While 30 million Europeans were impacted even if 10% of that number were California residents – 3 million — Marriott would be looking at $300,000,000 in domestic statutory penalties at a minimum for failure to enact reasonable security practices and procedures. For companies looking for the lesson here — this GDPR penalty is a paltry sum, compared to what is looming,” Gupta says.
The ICO said Marriott will be given an opportunity to discuss the proposed findings and sanctions.
“The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision,” said the U.K. data protection authority.
This is yet another reminder that companies can be fined 4% of their annual revenue if they get hacked.
The biggest challenge companies face right now is they are unaware of this reality.
A single breach can fine you into oblivion.