A new ruling by the Information Commissioner’s Office (ICO) has highlighted the need for companies to ensure their computer systems are adequate to keep data safe.
The ICO plans to fine hotel chain Marriott International £99m for general data protection regulation (GDPR) infringements, just days after a record-breaking £183m fine for British Airways over a privacy breach.
The proposed sanction against Marriott relates to a cyber security lapse and appears to have been caused by a vulnerability in computer systems.
Marriott bought the Starwood hotel group in 2016 and it appears they had no knowledge of the issues with the data storage.
It wasn’t until November 2018 that it was realised that the vulnerability led to up to 339 million guest records being exposed, including personal data.
Employment lawyer Karen Coleman said: “This huge fine could be viewed as unfortunate for Marriott as they had no knowledge of the data vulnerability. However, the Information Commissioner Elizabeth Denham has made it clear that companies must be accountable for the data it keeps.
“During an acquisition, the buyer must put in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
In her ruling, Denham said: “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
The hotel group will be given a chance to make representations to the ICO as to the proposed findings and sanction, and has indicated it intends to respond and vigorously defend its position.
They say that they deeply regret the incident and that improvements have been made to their security. Marriott also point to the fact that they reported the issues to the IOC.
Karen Coleman added: “GDPR legislation makes it clear that you must be responsible for the data under your control. This case should serve as a warning that all companies should assess how their online systems could impact on their GDPR responsibilities.”