The United Kingdom’s Information Commissioner’s Office (ICO) has lessened the financial penalty imposed on hotel company Marriott for a data security incident – revising it to £14.4 million (approximately $23.8 million) in a conclusive penalty notice. This is a reduction from the initial £99 million ($123 million) figure the regulatory body proposed in July 2019.

This financial sanction concerns a data breach experienced by the hotel chain that originated in 2014, relating to the network of Starwood hotels, which Marriott had purchased in 2015 – though the breach wasn't identified until November 2018.

The compromised personal data varied depending on the individual, but the ICO stated it potentially encompassed names, email addresses, telephone numbers, unencrypted passport details, check-in/check-out dates, guest VIP status, and loyalty program membership identifiers.

The breach impacted roughly 339 million guest records worldwide; however, the actual number of affected individuals is believed to be lower due to duplicate entries within the data. An earlier ICO assessment estimated that approximately 30 million users within the European Union were affected.

The ICO’s investigation revealed that Marriott did not implement “suitable technical or organizational safeguards to safeguard individuals’ data” – as mandated by the pan-European General Data Protection Regulation (GDPR). (The penalty applies solely to the portion of the breach occurring from May 25, 2018 – the date GDPR became enforceable.)

In a public statement, the U.K.’s Information Commissioner, Elizabeth Denham, remarked: “Marriott’s oversight impacted the data of millions of people; numerous individuals contacted a support line, and others were potentially required to take measures to secure their personal information because of the company’s shortcomings. When an organization fails to protect customer data, the consequences extend beyond potential fines – the primary concern is the welfare of the individuals whose data they were responsible for protecting.”

A representative for Marriott conveyed the company’s “sincere regret” regarding the incident, stating: “Marriott is dedicated to the privacy and security of its guests’ information and continues to invest substantially in security enhancements for its systems. The ICO acknowledges the actions Marriott took after discovering the incident to quickly notify and protect its guests’ interests.”

The hotel corporation also confirmed it will not challenge the ICO’s ruling (without admitting any wrongdoing).

The penalty required approval from other EU data protection authorities, utilizing GDPR’s one-stop-shop system for cross-border situations. The ICO also verified completion of the Article 60 procedure before issuing the penalty.

Going down

A noteworthy aspect of these cases is the difference between the initial penalties suggested by the ICO and the ultimately imposed fines.

The introduction of the GDPR significantly increased the potential penalties for data security breaches, allowing for fines of up to £20 million or 4% of an organization’s worldwide annual revenue, whichever amount is higher. Before this, existing data protection regulations in the region were often disregarded due to their relatively minor penalties. The GDPR aimed to fundamentally alter this situation.

However, nearly two and a half years after the framework began enforcement, substantial fines have been infrequent, with a considerable number of significant cross-border cases still pending resolution.

Regulatory bodies may also be hesitant to pursue large fines due to concerns about their enforceability if companies choose to appeal.

The ICO’s original penalty assessment for the Marriott breach was poised to be among the largest fines issued under the GDPR. The revised figure announced today represents a substantial reduction. The initial proposed amount equated to approximately 3% of the company’s 2018 revenue (around $3.6 billion) – a figure that has now decreased to roughly 0.6%.

This situation mirrors a similar case involving British Airways, where the ICO initially indicated an intention to fine the airline £183.39 million ($230 million) in July 2019 for a 2018 data breach impacting around 500,000 customers. However, earlier this month, the final penalty issued to BA was just £20 million ($25.8 million).

In both instances, the impact of the coronavirus pandemic appears to be a contributing factor in the ICO’s decision to lower the penalties. However, the pandemic may be serving as a convenient explanation, considering the significant reductions involved. (The regulator has also utilized it to temporarily suspend action on major complaints related to adtech, for example.)

The ICO’s only statement regarding the reduction in Marriott’s penalty is that it “took into account representations from Marriott, the measures Marriott implemented to lessen the effects of the incident, and the economic consequences of COVID-19 on their business before determining the final penalty”.

Marriott explained that the reduction in the penalty reflects “extensive mitigating actions” they undertook following the security incident – specifically mentioning the establishment of a dedicated website for information, the launch of a dedicated helpline, and the distribution of “millions” of email notifications to affected individuals. They also stated they offered guests the option to enroll in a personal information monitoring service where available.

The ICO also considered feedback from British Airways after initially announcing its intention to fine the airline, resulting in a minor reduction, as previously reported. However, our reporting indicated that the primary reason for the BA reduction was a reassessment of the airline’s level of responsibility for the breach.

Tim Turner, a U.K.-based data protection trainer and consultant, suggested that the coronavirus appears to be a convenient justification when asked for his perspective on the ICO’s penalty reductions.

“I’m not suggesting the ICO is intentionally creating confusion, but the perception that these reduced fines are attributable to the pandemic is beneficial to them,” he told TechCrunch. “They clearly overestimated the fines for both BA and Marriott by a significant margin, and they don’t dispute this. The official notices simply state that the initial error has been corrected, rendering it irrelevant.”

“The ICO was proposing fines far exceeding those seen elsewhere in the EU based on a draft, unpublished procedure. They should address this issue rather than allowing the public to believe this is simply a substantial COVID-19 discount.”