Marriott International is set for another courtroom showdown with victims of a major data breach announced in 2018, affecting 339 million global customers.
Tech journalist Martin Bryant, 41, has reportedly filed a collective action lawsuit on behalf of the estimated seven million former guests of the hotel giant from England and Wales whose personal data was compromised.
Represented by law firm Hausfeld, Bryant is claiming damages for loss of control of personal data, under the UK’s Data Protection Act 1998 and the EU General Data Protection Regulation, according to the Financial Times.
“Personal data is increasingly critical as we live more of our lives online but, as consumers, we don’t always realize the risks we are exposed to when our data is compromised through no fault of our own,” he told the paper.
The suit comes on the back of other legal action in the US and Canada.
It comes after UK data protection regulator the Information Commissioner’s Office (ICO) has come in for criticism after delaying its final decision on the size of the fine to be levied.
The ICO originally issued a notice of intent in July 2019 to fine Marriott £99m for security failings that led to the incident. However, the company has since made representations to the regulator in an attempt to dial down the fine.
Originally extended to May 2020, the final decision from the ICO is now likely in September.
However, the latest legal action proves that regulatory fines are only one small part of the total costs of a data breach that victim organizations can expect to pay.
“As well as being subject to GDPR and the legal, financial and reputational implications that come with it, organizations have a duty of care to their customers,” argued Stuart Reed, UK director of Orange Cyberdefense.
“Preventative measures are simply not sufficient. There must also be ongoing monitoring of key systems and robust response procedures in place to minimize the impact should the worst happen and a breach occur.”