Jul 172019

Another UK ICO GDPR Privacy Fine of £99m ($123m) Proposed Just One Day After the Largest Ever

William RM Long and Eleanor Dodding
, , , , ,

Just a day after the ICO provided notice of its intention to fine British Airways £183m ($228m) over a separate breach (please see our blog post here), on Tuesday, July 9, 2019, the ICO released another statement of its intention to fine Marriott International, Inc. (“Marriott”) over £99m ($123m) in relation to a security incident affecting the Starwood reservation database which Marriott had acquired in 2016 and discovered in November 2018. The statement came in response to Marriott’s filing with the US Securities and Exchange Commission that the ICO intended to fine it for breaches of the GDPR.

The ICO, acting as lead supervisory authority on behalf of the other EU data protection authorities, said it its statement, that of the 339 million guest records that were compromised globally as part of the incident, around 30 million of the affected guest records related to residents of 31 countries in the EEA and 7 million of these records related to UK residents.

The ICO has stated that it is believed that the vulnerability which caused the Starwood incident began in 2014. Marriott subsequently acquired Starwood in 2016 but the compromise was not discovered until 2018 when it was subsequently reported to the ICO.

The second significant action by the ICO in just two days, this reinforces how crucial it is for companies to be prepared for and able to respond to privacy and cyber security threats, including in due diligence in corporate acquisitions. In the ICO’s statement, Elizabeth Denham, the UK Information Commissioner, confirmed that “organisations must be accountable for the personal data they hold and this includes carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”

William RM Long

London

wlong@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.