Following news that The Marriot is facing a lawsuit in London’s High Court for its alleged failure to protect the personal data in 2018, please see comment below from cybersecurity experts.
Article 82 of the GDPR is in a little bit of a backwater and is often forgotten about. That is all about to change though with the, in my opinion, much-anticipated case against Marriot. The GDPR allows any person who has suffered material or non-material damage as a result of an infringement of the GDPR, the right to receive compensation from the data controller or processor for the damage suffered. In my opinion, this will be the first of many such court cases that will follow on the back of high profile data breaches that have taken place since the introduction of the GDPR in May 2018.
While all court cases are different, if the case goes against Marriott Hotels any fines are likely to be based on the number of people who\’s data was lost as part of the breach. We don\’t know how many of the 500 million records that were believed to be lost are residents of the UK and Wales, but even if the damages were to be £100 for 1 million people, the size of the damages is definitely something that Marriott is going to fight hard to avoid.
Companies need to be proactive right now to ensure that they don\’t find themselves in the High Court attempt to defend a breach. Ensuring that they have the right processes and procedures in place so breaches are spotted and dealt with quickly and efficiently goes a long way with judges and regulators alike, as does ensuring that personal data is deleted or redacted at the end of its life.
The news of an impending lawsuit against The Marriott is the latest in a series of blow suffered by the international hotel group. Having already been served with a £100 million fine last year, this should serve as a wake-up call to organisations of all sizes of the potential severity of penalties faced by those who fail to recognise that cybersecurity can no longer be treated as a lower priority activity. It is essential that all organisations take the utmost care and due diligence when applying relevant processes and procedures for good data hygiene.
As well as being subject to GDPR and the legal, financial and reputational implications that come with it, organisations have a duty of care to their customers. Preventative measures are simply not sufficient. There must also be ongoing monitoring of key systems and robust response procedures in place to minimise the impact should the worst happen and a breach occur.
It is now very clear the consequence of poor cybersecurity is no longer just damage to intangible items such as brand reputation. Organisations are now faced with direct legal and financial consequences if they are unable to demonstrate a mature approach to cybersecurity. These penalties that are now being inflicted without hesitation.
Cybersecurity is the responsibility of all within the organisation. Ongoing education and awareness amongst employees from the board down is critical to ensuring a layered approach of people, process and technology, and to preventing costly customer data breaches.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics