Marriott said it would appeal the fine issued by the U.K. Information Commissioner’s Office, or ICO.
The hotel owner disclosed in November that a hack of the reservation database for its Starwood properties might have exposed the personal information of hundreds of millions of guests.
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Arne Sorenson, Marriott’s president and chief executive.
The potential fine comes a day after British Airways said it faces a potentially record $230 million fine from the ICO, which alleges the carrier failed to protect passenger data after a hack last year. The airline’s parent International Consolidated Airlines Group SA said it would appeal the fine.
The EU’s General Data Protection Regulation, or GDPR, aims to hold companies accountable for safeguarding the personal data increasingly swept up in today’s digital world. It falls to national regulators—in Britain, the ICO—to enforce the rules for companies within their jurisdiction.
“Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest-reservation database”
In the U.S., there is no central authority for probing and punishing failures at consumer data protection. In many cases, companies subject to such hacks can be liable for customers’ financial losses stemming from unauthorized access to their data. States have also taken firms to task for data breaches.