Commenting on news of the ICO’s intention to fine Marriott International, Kingsley Hayes, managing director at data breach and cyber security specialist Hayes Connor Solicitors, said:
“The ICO has started to show its teeth with two international organisations facing significant fines this week. Marriott International suffered a cyber attack in 2014 affecting millions of its guests yet the incident was not discovered until four years later.
“This raises serious questions about the robustness of its cybersecurity and the frequency that Marriott reviews its data protection measures which is evidently lacking. Interestingly, both British Airways and Marriott International have stated that they will contest the fines indicating that businesses are still underestimating the serious implications, both in the short and long term, on affected customers.
“The penalties for businesses who fail in their data protection obligations do not end with the ICO fines. Hayes Connor is representing in excess of 500 clients against British Airways and against Marriott International. Our clients are entitled to compensation for actual, and potential, financial loss and for some, the psychological distress directly caused by the breach.
“Hayes Connor is also engaged in High Court Litigation against Ticketmaster following its notification of a large scale data breach last year. This is the first of the high profile, high volume and value, cases to be in the High Court post GDPR.
“Whilst the ICO pronouncement on that investigation is imminent at a hearing in Liverpool High Court today, HHJ Pearce provided an order of the Court for the case to move forward this year to start to establish the liability of Ticketmaster to its customer base.
“While large organisations like Ticketmaster, British Airways and Marriott can take the financial hit, these hefty penalties can threaten the survival of many small and medium sized organisations.
“Evidence to date however, shows that the majority of businesses are still not taking data protection seriously enough and more needs to be done to protect consumers’ privacy.”