Ryan Gracey responds to Marriott Hotels’ second data breach in three years

Ryan Gracey, solicitor at Gordons and expert in technology law, has responded to the news that Marriott Hotels has confirmed a second data breach in three years.

The hotel chain said it discovered the breach of an unspecified property system at a franchise hotel, involving the personal information on 5.2 million guests.

Marriott said it has “no reason” to believe payment data was stolen, but said names, addresses, phone numbers, loyalty member data, dates of birth and other travel information were taken in the breach.

Ryan Gracey said: “If any of the personal data exposed in this recent cyber security incident relates to EU residents, EU data protection regulators will mostly certainly investigate the breach.

“The General Data Protection Regulation makes it clear that organisations must be accountable for the personal data they hold. This includes ensuring proper technical and organisational measures are in place to protect personal data against unauthorised or unlawful access and disclosure.

“Under the GDPR regime, EU regulators have the power to issue fines of up 4% of Marriot’s annual global turnover. Given this is their second material breach in under two years, they should ready themselves for a hefty penalty.”

To find out more or to discuss your data protection contact Ryan below or visit our GDPR and Digital & Technology pages.