Is the ICO's Fine on Marriott Unreasonable?
With the breaking news that Marriott could be fined approximately $124M for its Starwood data breach, many are wondering if the fine is too high, too low or perhaps just right. HT talked with a variety of industry experts to get their opinion and found their responses to be a fairly mixed bag.
To begin with, the ICO said in its statement regarding its intent to fine Marriott that a variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. Since the ICO only has the power to issue fines based on EU residents, the fine should be connected only to the 30 million guest records that were affected.
According to Justin Fox, director, devops engineering at NuData Security, a Mastercard Company, this fine is on par with the purchasing rate for exposed records online. Marriott is being penalized approximately $0.31 per guest record while the going rate among cybercriminals for account credentials ranges from $0.20 to $15.
"The potential fine is significant but could’ve been higher," says Rick Holland, CISO and Vice President of Strategy at Digital Shadows. "The potential fine could deliberately be on the lower end of what could’ve been handed down in an effort to reduce the companies’ legal response options. The ICO might be attempting to mitigate any claims that the potential fine is unreasonably high."
Matt Wilson, Chief Information Security Advisor at BTB Security, a cybersecurity consulting firm, agrees.
"If there could be such a thing as a 'Goldilocks' amount for fines, the values both Marriott and British Airways were hit with this week would be close," he notes. "The fines are large enough for the attention-getting headlines that the regulators likely wanted, yet small enough when compared to the size of the respective organizations to not cripple the business or threaten jobs. This could have been much worse as under GDPR (and depending upon which Articles were violated), up to 2% or 4% of 'global turnover' or revenue could be levied as a fine. In Marriott's case, this could have been around $800M at the high-end."
As it stands, the fine represents approximately 1.5% of Marriott's global revenue.
Others, however, feel the fine could and perhaps should have been higher.
"I'm frankly surprised by how low the Marriott's fine is, especially compared with a relatively high fine for British Airways," says Nyotron's VP of Product Strategy, Rene Kolga. British Airways was fined 183M pounds or approximately $230M. "Remember that British Airways' hack affected about 380,000 people over a short two-week period."
Kutak Rock attorney Jon Breyer agrees noting that these fines will become the measuring stick for how future fines are imposed on companies based on similar misconduct.
"In that light, these fines appear to set a relatively low bar for the ICO to issue sizable fines," he adds.
While the fines issued this week to British Airways and Marriott mark the biggest fines imposed under the General Data Protection Regulation (GDPR) to date, the biggest fines may be yet to come as Google, Facebook, and Apple remain under investigation by the Irish Data Protection Commission, notes Breyer.
While the debate over the size of the fine will likely continue for some time, what is clear is that the ICO is doing its best to draw a line in the sand.
"The scale of both Marriott and British Airways fines can leave no doubt in anyone’s mind that we’re now operating under very different standards than when the Data Protection Act was enforced," says Tony Pepper, CEO of Egress Software. "Fines of this scale have never been seen in the UK before and for them to be issued to such big organizations send a clear message to the wider industry."
Doron S. Goldstein, partner, Co-Head – Privacy, Data and Cybersecurity Practice at Katten Muchin Rosenman LLP, agrees.
"The fines announced by the ICO on both Marriott and earlier this week on British Airways are indicative of how seriously the regulators are taking data protection – in these cases, obligation to keep the information secure. But the EU regulators have also initiated actions against companies for various other GDPR violations (not just breaches), so this is part of a larger pattern of increasing enforcement by the regulators."