Marriott fined £0.05 for each of the 339 million hotel guests whose data crooks were stealing for four years Your name, address, phone number, email address, passport number, date of birth, and sex are worth just £0.05 in the eyes of the UK Information Commissioner's Office, which has fined Marriott £18.4m after 339 million people's data was stolen from the hotel chain. The fine was imposed as a regulatory punishment for the 2018 …
As bafflingly shameful as BA’s ‘get away near Scott-free’ knuckle rap.
The ICO Chair should Fucking resign in shame.
Simple solution - as with BA - take the £18m as a down payment on an instalment plan tied to the companies recovery. No boardroom bonuses until paid off.
Simple, fair, proportionate and helps out with short-term cash flow/revenue issues. 5-10 year payment plan please.
BA and Marriott must be pissing themselves in glee at this. It’s disgusting - esp.. In light of BA’s casual disregard of the law on refunds and employment practices too.
Habitual offenders have been rewarded with the equivalent of a misdemeanour punishment.
"As bafflingly shameful as BA’s ‘get away near Scott-free’ knuckle rap."
Unpopular opinion - I think Marriott have been punished harshly for this.
The only Marriott business decision that lead to this disclosure was purchasing Starwood Group, and once discovered, they handled the disclosures in a responsible way helping customers where possible. From my understanding of this case from following it over the years, at every step of the way they have tried to do the right thing for those affected by past decisions, aside from admitting legal responsibility which I assume is for legal purposes in various jurisdictions. Unless I've missed something, they have ticked all of the boxes that they could other than discovering the breaches pre-acquisition. From an IT/Security/risk management perspective, Marriott employees that did not work for the Starwood Group likely did everything possible to comply with data security requirements.
What would have happened if Starwood Group hadn't been acquired? It would have been a much smaller company so the fines would have likely been much less given Marriott Group was around 10x the size of Starwood Group.
If we punish companies heavily for making the right decisions, why should we expect them to keep making the right decisions? Marriott would have been better off doing the minimum and spend the money fighting to reduce the size of the fine....
which should be one of the ICO's aims, should they not have insisted that Marriott be audited by an independent White Hat type organisation for 10 years ? Hopefully the WH types would kick up a fuss at poor/sloppy practice and make them fix it.
I do not know if the ICO has the power to order this, if not then time to get a quick bill through parliament.
As long ago as 2009 I suggested to the then deputy information commissioner that fines should be replaced by enforced specific remediation and fulfilment audit at the expense of the subject of the action. His response was that they couldn't contemplate affording that as their revenues were insufficient.
The ICO's funds still are insufficient, primarily because it's in a bind. It can't be funded by government as there would be a conflict of interest if it had to action a government data breach; it can't be funded by fines as there might be suspicion of malpractice in aid of revenue. The existing model is a registrant fee based on scale of organisation, and it clearly yields insufficient funding. Our annual fee is a mere £40 and that's probably the fee the majority of companies pay. I'd be quite content to see it doubled or trebled, which would make a big difference to the ability of the ICO to take on duties that actually prevent data breaches, quite apart from supporting its other workload. The last time I enquired the ICO was so overloaded that it took several months just for a complaint to be allocated a case officer.
I strongly suspect that for the same reasons the downward negotiation of fines is a trade off between the cost of litigation and the effect of the penalties. A typical business will spend many time more on a legal challenge than they save as a result of its success, as what matters is "reputation". The ICO can't afford to do that, but has to cut its losses much sooner as appeal litigation runs to millions.
How are other regulators like Ofcom, Ofwat, Ofgen, Financial Ombudsman/FCA/Payment Regulator, CQC/Monitor, Charities commission, CAA, Nuclear Regulator, Ofsted, EHRC, ASA, IPCC, etc... funded ??
Perhaps the banks would like to contribute a sliver of funding ... as often it’s their card data pilfered?
If not out of general taxation.
Perhaps the banks would like to contribute a sliver of funding ... as often it’s their card data pilfered?
The ICO is already paid for by a sliver of funding from all data controllers.
"The ICO is primarily funded by organisations paying the data protection fee, which accounts for around 85% to 90% of the ICO’s annual budget.... From 1 April 2019 to 31 March 2020, the ICO projects that it will collect roughly £46,560,000 through the data protection fee." https://ico.org.uk/about-the-ico/who-we-are/how-we-are-funded/
So whilst it's not a big drain on the public purse, it's a bigger drain on the public's purse.
Nevertheless your suggestion has legs because I imagine almost all the ICO's money comes from a prodigious number of SMEs who pay £40 or £60 each per year rather than a tiny number of multi-billion pound turnover multinationals who cough up a microscopic (for them) £2,900.
The relevant tax* structure is here.
* It's a tax, not a fee, because there is no quid pro quo, which is needed for a fee but absent for a tax.
Right, the taxpayer can't fund them because of conflict of interest investigating government departments, yet their own fine surplus of several million/year goes to 'Consolidated Fund' aka The Treasury. I'm not sure that's totally logical.
I was going to suggest they get to keep a fixed value of the fine revenue, given the assumption they are going to be issuing at least some fines annually for the foreseeable future but it seems changes like that are being looked at, and they have received a small (£0.6m) government grant for litigation costs in the last financial year, as well as various other specific grants for setup costs earlier.
Fixed penalty offences are, as the name suggests, fixed so pleading poverty won't get you a reduced penalty if you break the speed limit. However, financial circumstances are taken into account with fines. The Sentencing Council guidelines say:
"The amount of a fine must reflect the seriousness of the offence (Criminal Justice Act (“CJA”) 2003, s.164(2).
The court must also take into account the financial circumstances of the offender; this applies whether it has the effect of increasing or reducing the fine (CJA 2003, ss.164(3) and 164(4))."
The maximum penalty notice (not fine) the ICO may issue is linked to a companies global turnover and, since Covid-19 will have affected Marriot's turnover, the penalty notice takes this into account. The ICO has updated it's Regulatory Action Policy to take account of Covid-19 and this now includes
"As set out in the Regulatory Action Policy, before issuing fines we consider the economic impact and affordability. In current circumstances, this is likely to continue to mean the level of fineswill be reduced."
A lot of this comes down to the ICO not having a big enough legal budget. Basically it can't afford to take on these big multinationals so it gives in when they says "how much to make this go away". Remember the ICO doesn't get to keep these fines they go to the Treasury.
Really the ICO should be able to hang onto some of this money to add to its legal fund to makes sure it is not in the same position next time of being unable to defend its own decisions.
This has been happening in too many places for too long, unfortunately with no remedy or end in sight.
For years people's vital data has been getting continuously stolen from those in charge of their security, ending up in the usual places.
I have been, for the longest while, convinced that no one is really stealing anything.
The data is getting sold in huge chunks to the usual clients and the sellers have in turn factored the "fine" into their price.
Your name, address, phone number, email address, passport number, date of birth, and sex may be worth just £0.05 in the eyes of the UK Information Commissioner's Office but for the miscreants in the data traffic business it is priceless cash cow as they can sell it many times over.
The only way to stop this is making it hurt, in the most ruthless manner.
Be sure once it is put in place it will not ever happen again.
You lost my data because you did not protect it properly?
Right then: it's £10 a pop for the first time and £100 if it happens again, with the members of the board financially responsible with their own assets for the fine.
A sad state of affairs.
O.
Governance seems to still be such a mess with personal information. In the US, we are seeing a lot of redundant privacy-oriented legislation in localities and States, written mostly to serve the career of its author. Standard Information Security Audits of companies that warehouse or process large amounts of PID, like Marriott, should be clearly defined and mandated.
Marriott deeply regrets the incident remains committed to the privacy and security of its guests.
HAHAHAHAHAHA ... £0.05 per person, of course you do. *wink*, *wink*, *jab*, *jab*
(I'm looking at the calendar right now and I thought it was 01 April ... but it is not.)
GREAT news for BIG BUSINESS who think they might find themselves in similar predicament. Fear not! It's only the shitty no-name scumbags that get sent packing. Your Valuable Brand shall save your incompetence / cost optimization "slip"!
Although the attack was originally thought to have exposed half a billion records in the chain's guest reservation database, later investigations revised that figure downwards.
Almost makes it worth announcing a huge breach, get a low per-person-breached fine amount, and then revising the breach numbers down.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
