As ever, Rob Lands and Mark Stephens are ahead of the curve.
At our Early Check-In hotel breakfast seminar on 20 June 2019, the panel of experts agreed some clear recommendations for hoteliers concerned about cyber-security:
- make sure all staff are properly trained,
- appoint a chief technical officer at board level,
- insure against cyber-incidents, and
- plan your response in advance for when it happens (because it's a case of when, rather than if).
The fine proposed the by Information Commissioner’s Office of £99,200,396 announced yesterday - to be imposed on Marriott International in respect of criminal data theft from Starwood Hotels' former guest reservation database - is in respect of the UK only. The UK ICO is the enforcement agency for only one of the 28 EU countries subject to GDPR, so there must be a concern that further fines are to come.
As Marriott International has indicated in its SEC filing, it has the right to respond before any final determination is made and a fine can be issued by the ICO. The company stated that it "intends to respond and vigorously defend its position".
The next Early Check-In is on 19 September 2019, when we will be looking at hotel operating models.
https://www.theregister.co.uk/2019/07/09/marriott_hotels_ico_fine_intention_99m_starwood_breach/In November 2018, Marriott admitted to the world that half a billion customer records had been stolen by miscreants later publicly identified by US foreign secretary Mike Pompeo as coming from China. Though the hotel chain later scaled that down to a mere 383 million reservations, rather than 500 million individuals' data, the damage had very obviously been done.