In its second statement of intent of the week, on 9 July 2019, the UK's Information Commissioner's Office ("ICO") announced its intention to fine Marriott International, Inc ("Marriott") £99.2m under the General Data Protection Regulation ("GDPR") for a personal data breach that occurred in relation to the Starwood guest reservation database system. 

The breach is believed to have started when Starwood hotels systems were affected by a cyber-attack in 2014.  The breach was uncovered and notified to the ICO in November 2018, two years after Starwood's acquisition by Marriott.  Personal data contained in over 330 million guest records were exposed by the incident.  About 30 million records related to individuals from over 30 countries in the European Economic Area (EEA). Around 7 million records related to individuals located in the UK.

The ICO determined that Marriott should have taken additional steps to review and secure the IT infrastructure used by Starwood.  The ICO noted that Marriott had co-operated with the investigation conducted by the ICO and had improved its security practices since the incident.  Marriott has been invited to make further representations to the ICO about the calculation of the fine before the ICO takes its final decision.   The ICO has said that it will carefully consider any representations made by Marriott and the other European data protection supervisory authorities before it makes its final determination.

Under the GDPR, a data protection supervisory authority can issue a maximum fine of up to 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year of the relevant undertaking for a serious violation of the GDPR, whichever figure is higher.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.