Marriott Hotels GDPR Penalty may be as high as $915m

Despite the initial results of a review into a General Data Protection Regulation (GDPR) breach at the Marriott Hotels group showing that the overall number of people affected is lower than first thought , the group is facing a fine of up to $915m in relation to the breach.

It was first reported that up to 500 million individuals may have had their private personal data obtained through the breach. However, it is now calculated that this figure may actually be closer to 383 million people. The data that was breached is believed to be unencrypted passport details along with 20.3 million encrypted passport numbers.  This data could possibly be used illegally as a different form of identity.

The investigation is, at present, underway in all countries where the Marriott Hotel group is based. Local data protection agencies in each individual country will be responsible for reviewing the incident thoroughly to reveal its impact. Under the GDPR legislation, which became enforceable on May 25 2018, the highest possible penalty applicable is €20m or 4% of annual global revenue for the previous year – whichever figure is higher. In 2017 Marriott  reported annual global revenue of $22.89bn, so the group would be required to pay a fine of $915m if it is decided that ut is to blame for the breach taking place.

Marriott has moved quickly to try and prevent being subject to the highest possible financial penalty. As a precautionary measure all of those may have been impacted by the data breach have been offered compensation in order to have their passport reissued, thus eliminating any possible fraud in future.  Along with this the Marriott Hotel group has established an online portal to answer all queries that customers may have in relation to the data breach and there is also a dedicated call center available for this purpose.

However, new reports suggest that the group will also be the subject of a class action lawsuits in the United States. A class action was submitted to Maryland federal district court on January 9. The case lists plaintiffs in dozens of US states where it says that data protection laws were violated. The Marriott group were accused  of participating in “deceptive, unconscionable, and substantially injurious practices.”

This further emphasises the importance of ensuring that all data is completely safeguarded and in line with the requirements of all relevant legislation. Additionally should a breach happen, it is crucial to act quickly to protect your clients exposed data and to avoid stringent fines.