Out-Law News 3 min. read

ICO proposes £99m fine over Marriott data breach

Marriott International is to contest a UK regulator's plans to issue it with a £99.2 million fine for an alleged breach of data protection laws.

The hotels business disclosed to the US Securities and Exchange Commission (SEC) on Tuesday that the Information Commissioner's Office (ICO) had issued it with a notice of intent to impose the fine following its investigation into a major data breach that came to light last year.

It is the second time in two days that the ICO's plans to issue sizeable fines under the General Data Protection Regulation (GDPR) have come to light early in the process of enforcement. On Monday, the ICO confirmed that it intends to fine British Airways more than £183 million under the GDPR after personal data concerning the airline's customers was compromised by hackers.

Julian Stanier

Julian Stanier


... it seems likely that both Marriott and BA decided that the ICO's plans to issue a fine represent an event that is material for disclosure to its investors.

Marriott announced last November that it had discovered there had been "unauthorised access" to one of its databases since 2014 following a cyber incident. The database was one that was added to Marriott's IT estate when it acquired the Starwood business in 2016 and it contained details of hundreds of millions of hotel guests. In January this year, Marriott provided an update in which it revised down the number of records it thought had been impacted and confirmed that the database affected had been completely phased out from use.

According to the ICO, approximately 339 million guest records were "exposed by the incident". In a statement, it said Marriott had "failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems".

However, Marriott said it will contest the ICO's plans to issue it with a £99.2m fine. It said the breach "involved a criminal attack against the Starwood guest reservation database".

Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said: "The message from the ICO is clear – cybersecurity and data privacy should form a central part of the due diligence businesses engage in when seeking to acquire other companies. We have seen the topic of cyber due diligence come to the fore previously in the case of the TalkTalk data breach which concerned a customer database operated by Tiscali, a company TalkTalk had previously acquired."

"The level of proposed penalty in both the BA and Marriott cases is noteworthy. It is likely that the ICO has devoted significant resources to both investigations and elected to pursue significant fines in an effort to demonstrate its willingness to use its fining powers under the GDPR and prompt other businesses to act to avoid similar penalties," he said.

"If the ICO confirms its action against Marriott, its monetary penalty notice should provide an insight into how the level of fine was calculated and whether it has been influenced by any aggravating or mitigating factors," Birdsey said.

Data protection law expert Claire Edwards of Pinsent Masons said: "The ICO will need to be able to explain as part of any appeal how the fine was determined and ensure that it is in line with the requirements of the consistency mechanism established under the GDPR which is designed to ensure the approach to enforcement is uniform across the different regulators in the EU."

The ICO said it has acted as the lead authority for investigating the Marriott data breach under the GDPR's 'one stop shop' regime which applies across the European Economic Area (EEA) and comprises the 28 EU countries, Iceland, Liechtenstein, and Norway.

The OSS regime is aimed at reducing the bureaucracy associated with corresponding with multiple regulators. It sees one data protection authority take the lead on investigations whilst providing an opportunity for other data protection authorities in the EEA to feed into the enforcement process.

The ICO has confirmed that Marriott International has a right to make written representations in response to its notice of intent, and that it will also consider representations made by the other data protection authorities before making a final decision in the case.

Corporate law expert Julian Stanier of Pinsent Masons said: "Like in the British Airways case, the ICO has been spurred into publicising its intended enforcement action as a result of a markets disclosure by Marriott International. Although different disclosure regimes apply in the EU and the US, it seems likely that both Marriott and BA decided that the ICO's plans to issue a fine represent an event that is material for disclosure to its investors."

"We are aware of cases in other regulated industries where businesses have been able successfully to persuade regulators to revise down proposed fines in similar circumstances where they have gone public about the penalties they are facing, so the fact that details of the major fines the ICO proposes to issue to BA and Marriott are public before written representations by those companies have been developed and considered does not necessarily mean the companies' legitimate arguments against the ICO's proposed action will not be persuasive," he said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.