Penalty for Marriott Hotels GDPR Breach could be up to $915Μ

Despite the initial findings of an investigation into a General Data Protection Regulation (GDPR) breach at the Marriott Hotels group indicating that the number of people impacted is lower than expected, the group is facing a financial penalty of up to $915m in relation to the violation of the European Union Legislation.

Following, the breach first being reported it was estimated that up to 500 million individuals may have had their private personal data exposed as part of the breach. However, it is now thought that this figure may actually be closer to 383 million people. The data in question is believed to be unencrypted passport details along with 20.3 million encrypted passport numbers.  This data could, potentially, be used illegally as an alternative form of identity.

The investigation is currently underway in all countries where the Marriott Hotel group is located Local data protection bodies in each country will be charged with reviewing the incident thoroughly to reveal its impact. Under the GDPR legislation, which became enforceable on May 25 2018, the maximum penalty applicable is €20m or 4% of annual global revenue for the previous year – whichever figure is higher. In 2017 Marriott  reported annual global revenue of $22.89bn. In this case the group would be required to pay a fine of $915m if it is found to be responsible for the breach occurring.

Marriott has moved swiftly to try and avoid suffering the full extent of such a financial penalty. As a precautionary measure all of those potentially impacted by the data breach have been offered compensation in order to have their passport reissued, thus preventing any possible fraud in future.  In addition to this the Marriott Hotel group has set up an online portal to answer all questions that customers may have in relation to the data breach and there is also a dedicated call center available for this reason.

However, reports today indicate that the group will also be subjected to a class action lawsuits in the United States. A class action was filed in Maryland federal district court on January 9. The case includes plaintiffs in dozens of US states where it claims that data protection laws were breached. The Marriott group were accused  of involvement in “deceptive, unconscionable, and substantially injurious practices.”

This further highlights the importance of ensuring that all data is being protected correctly and in line with the requirements of all relevant legislation. Additionally, in the unfortunate event of a breach occurring, it is vital to move quickly to protect your clients exposed data and to avoid stringent financial penalties.