Two Fines in Two Days – ICO Plans to Fine Marriot £99m

10th July 2019

After fourteen months of criticism ‘for doing nothing’, the ICO has come out guns blazing. With two announcements of their intent to fine in two days, they definitely mean business.

The ICO has said it plans to fine British Airways and Marriott International £188.39m and £99.2m respectively.

Their latest intent to fine Marriott International related to a data breach that resulted in about 339 million guests having their personal details exposed.

The vulnerability of the systems predates Marriott’s acquisition of Starwood; however, Marriott are responsible for not fully auditing their systems as part of their M&A process.

The ICO said that Marriott had failed to properly review Starwood’s data practices and should have done more to secure its systems.

“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham.

“This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Continually monitoring for risk

The large fines come as a wake-up call to all businesses, big and small; being a victim of crime is no defence, even if you are hacked by cyber-criminals, retrospective steps to fix the weaknesses will still not get you out of a fine – you need to constantly monitor your network for risks and make sure any risk and compliance gaps are fixed before anything goes wrong.

In reality, monitoring your own networks can be complex and overwhelming. So, how do you approach independently auditing and assessing a network that you have no real access to and at the same time ensuring that neither party violate GDPR compliance?

RiskView can fully support the requirements of mergers and acquisitions. By locating information risk and leakage, an organisation can review another organisation’s information security without accessing data, therefore not contravening the GDPR. This unique measure provides confidence for all elements of due diligence, i.e. supply chain audits, partner audits. Allowing you to ensure you are fulfilling all responsibilities when adopting new practices that involve moving or accessing sensitive information.


View More Articles