ITB 2019 Special Reporting
Marriott’s GDPR fine – Lessons to be learned
Tuesday, 20th August 2019
Source : Bob Braun, Cybersecurity Lawyer

On August 5, 2019, Marriott International announced that it had taken a $126 million charge in the second quarter, primarily as a result of the data breach it announced in 2018.

Coincidentally, on July 9, 2019, The United Kingdom’s Information Commissioner’s Office (ICO), which enforces the General Data Protection Regulation in the UK, announced that it intends to impose a fine of £99,200,396 ($123,705,870) on Marriott for last year’s data breach.


As was widely reported, in November 2018, Marriott disclosed that hackers accessed the Starwood guest reservation database since 2014. Initially, the company said hackers stole the details of roughly 500 million hotel guests, which the hotel chain later corrected to 383 million following a more complete investigation. Still, 383 million records is nothing to be laughed at.

The hackers stole a breathtaking array of sensitive data:

  • 383 million guest records
  • 18.5 million encrypted passport numbers
  • 5.25 million unencrypted passport numbers
  • 9.1 million encrypted payment card numbers
  • 385,000 card numbers that were still valid at the time of the breach

An important part of the story is that the breach was based on the Starwood reservation system that Marriott acquired when it merged with Starwood in September 2016. The compromise was against the Starwood reservation system, and much attention has been given to Marriott’s due diligence in the merger process – particularly since Starwood had announced a breach involving more than 50 properties in November 2015, just after agreeing to be acquired by Marriott.

Elizabeth Denham, Commissioner of the ICO, focused on that fact in announcing the fine: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

This event isn’t unexpected. Practitioners in the cyber law and data protection have been waiting for the reaction of European regulators to the Marriott breach. The ICO’s action answers that question, at least in part.

Hotel companies need to take this action seriously and consider its ramifications. Many industries can try to avoid becoming subject to the GDPR. Hotels, however, seek guests worldwide, whether directly or through brands, and are more likely to become subject to GDPR compliance. Moreover, hotels collect a great deal of sensitive personal information as part of their daily activities, increasing their responsibilities under the GDPR (as well as other laws, such as the soon-to-be-effective California Consumer Privacy Act).

Lessons to be Learned

The ICO’s action provides some lessons for United States companies with business in Europe, and hotel companies in particular:

  • The Starwood acquisition, and the beginning of the breach, occurred prior to the effectiveness of the GDPR, but Marriott’s alleged failure to discover the compromise flowed into GDPR. Whether the fine is based on Marriott’s pre-GDPR failures, or its post-integration oversight, the message is clear: in the absence of appropriate due diligence, acquiring a security incident through merger or acquisition will trigger liability under GDPR.

LessonThe date of the incident may not be determinative; the existence of the incident is.

  • The ICO’s practice is to announce its intention to fine an organization only after the organization has had an opportunity to dispute the fine’s assessment. In this case, Marriott’s reported the intended fine in order to comply with its SEC reporting requirements.

LessonReporting requirements in the U.S. can impact the process of the GDPR investigations.

  • It’s unclear if cyber insurance policies issued in the United States will cover GDPR fines.

LessonCheck your policies (and note that Marriott also announced that it had recovered $22 million in breach costs from its insurers in the second quarter).

  • As noted above, all reservations systems contain significant amounts of personal and sensitive information, and Marriott was as interested in acquiring access to that data as it was attracted by the hotels owned, managed and branded by Starwood. But that data comes with a cost.

Lesson: A company must conduct a security audit prior to combining systems, with a goal of detecting whether security basics are in order, and both companies are aligned as to how customer data is collected, handled and stored.

  • The size of the fine indicates that it is an “Upper Level” fine, as defined in the GDPR, which means that the ICO saw this as a failure of Marriott to follow the basic principles for processing personal data, for violating the rights of individuals, and violating the restrictions on transferring personal data outside the European Union.

Lesson: The ICO, and other European Union regulators, take this seriously.


Marriott is just one of the many hotel companies that have been subject to data breaches. Virtually every major hotel company, and many minor ones, have announced data breaches in the past few years, and there are likely many more that either chose not to announce a breach, or that were unaware that they were hacked.

Until now, the impact of a breach has been limited. While the cost of discovering, announcing and remediating the breach is high, the GDPR has only begun issuing fines this year.

And while Marriott’s fine is large, it is dwarfed by the fine that the ICO levied on British Airways on the same day – $228 million. Hotel companies have been warned – they violate the GDPR at significant financial risk.

Bob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager. Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.

In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or rbraun@jmbm.com / www.jmbm.com

 Latest News  (Click title to read article)

 Latest Articles  (Click title to read)

 Most Read Articles  (Click title to read)

~ Important Notice ~
Articles appearing on 4Hoteliers contain copyright material. They are meant for your personal use and may not be reproduced or redistributed. While 4Hoteliers makes every effort to ensure accuracy, we can not be held responsible for the content nor the views expressed, which may not necessarily be those of either the original author or 4Hoteliers or its agents.
© Copyright 4Hoteliers 2001-2019 ~ unless stated otherwise, all rights reserved.
You can read more about 4Hoteliers and our company here
Use of this web site is subject to our
terms & conditions of service and privacy policy