Martin Bryant, a UK resident, has filed a class action lawsuit in the UK seeking compensation on behalf of English and Welsh residents for a 2018 data breach that saw millions of customers have their personal data compromised.
Cybercriminals originally gained access to the Starwood Hotels group’s networks in 2014, securing access to customers’ email addresses, names, postal addresses, telephone numbers, genders, and even credit card information. The group was later acquired by Marriott in 2016, but the breach was not revealed until 2018, by which time it fell under the newly introduced General Data Protection Regulation (GDPR).
The GDPR allows for much higher fines than the regulation it replaced, which capped fines at £500,000. The UK Information Commissioner’s Office (ICO) later indicated its intention to fine the company £99.2 million for the breach, although the ICO has since delayed making a final decision on the penalty until the end of September.
Law firm Hausfield, a specialist in class actions, will be representing Bryant. Michael Bywell, a Hausfield partner and senior commercial litigation lawyer, alleged in a statement that Marriott had breached data protection laws over several years by failing to adequately protect the personal data of millions of customers. Bryant also said in a supporting statement:
“Personal data is increasingly critical as we live more of our lives online, but as consumers we don’t always realise the risks we are exposed to when our data is compromised through no fault of our own. I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott’s vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly.”
According to a press release, in the representative action, everyone else with an interest equivalent to that of Bryant will be included in the class unless they explicitly choose not to be, per Rule 19.6 of the Civil Procedure Rules. A website has been established for qualifying parties to register their interest. Global firm Harbour Litigation Funding is financing the claim, so those participating in the claim will not incur any financial risk or have to pay costs or fees.
When asked by website Tech Crunch for a comment, a spokesperson for Marriott International indicated that the company does not remark on pending litigation.
The class action is another indication that the courts may also be used to pursue GDPR breaches, meaning that companies may need to pay compensation in addition to regulatory penalties. This only emphasises the importance of being GDPR compliant. Rather than being a regulatory burden, though, GDPR compliance can actually benefit your operations, and with the IT support and services we provide at Pro-Networks, we can help you attain compliance while also improving your cybersecurity and establishing better working practices, which in turn leads to enhanced confidence from your customers and partners.