Fine for Marriott Hotels GDPR Breach could be up to $915Μ

January 14, 2019


In spite of the initial findings of an investigation into a General Data Protection Regulation (GDPR) breach at the Marriott Hotels group suggesting that the number of people impacted is lower than projected, the group is facing a financial penalty of up to $915m in relation to the violation of the European Union Law.

After the breach first being reported it was projected that up to 500 million people may have had their confidential personal data exposed as part of the breach. Nevertheless, it is now thought that this number may actually be closer to 383 million people. The data in question is considered to be unencrypted passport details together with 20.3 million encrypted passport numbers.  This data could, possibly, be used illegally as an alternative form of identity.

The investigation is presently ongoing in all countries where the Marriott Hotel group is located. Local data protection bodies in each country will be charged with studying the incident comprehensively to reveal its impact. Under the GDPR legislation, which became enforceable on May 25, 2018, the maximum fine applicable is €20m or 4% of annual global income for the preceding year – whichever figure is higher. In 2017 Marriott reported annual global income of $22.89bn. In this case, the group would be required to pay a penalty of $915m if it is found to be accountable for the breach occurring.

Marriott has moved quickly to try and avoid suffering the complete extent of such a financial penalty. As a safety measure, all of those possibly impacted by the data breach have been offered compensation so as to have their passport reissued, thus avoiding any possible scam in the future. In addition to this the Marriott Hotel group has set up an online portal to reply all questions that clients may have in relation to the data breach and there is also a dedicated call center available for this reason.

However, reports suggest that the group will also be subjected to a class action litigations in the United States. A class action was filed in Maryland federal district court on January 9. The case includes plaintiffs in dozens of US states where it claims that data protection rules were breached. The Marriott group were accused of involvement in “deceptive, unconscionable, and considerably injurious practices.”

This further emphasizes the importance of making sure that all data is being protected properly and in line with the requirements of all relevant legislation. Moreover, in the unfortunate event of a breach occurring, it is crucial to moving rapidly to protect your clients’ exposed data and to avoid harsh financial penalties.