The UK Information Commissioner’s Office (ICO) issued the European General Data Protection Regulation (GDPR) fine against Marriott as the result of a major security breach in 2018 that resulted in more than 339 million guest records being exposed. The $123 million GDPR fine is approximately 3 percent of the company’s $3.6 billion in global annual revenue. The maximum fine under the GDPR rules can now be as much as 4 percent of global annual turnover.
The one aspect of the Marriott security breach that was most troubling was just how long it took the company to figure out the size and extent of the breach, and then to report it to the relevant authorities. The security breach actually dates back to 2014. When Marriott uncovered the data breach in September 2018, it waited until November 2018 to report it to the authorities. This flies in direct contravention of the GDPR, which specifically notes that any security breaches must be reported in a timely manner to any EU data subjects that have been the victim of a breach.
Similar laws are now in effect in Canada, called PIPEDA, Personal Information Protection Electronic Documents Act. If you suffer a breach you must inform the Privacy Commissioner of the breach – click on above link for details.