Marriott faces data loss claim - will it open floodgates?

Hotel giant Marriott International may have succeeded in keeping its proposed £99m GDPR fine at bay – so far, at least – but it is now facing a High Court battle for compensation following the launch of yet another class action lawsuit against a company for the loss of personal data.

The case is being brought by technology consultant Martin Bryant on behalf of Marriott customers living in England and Wales who made a reservation to stay at one of the company’s Starwood properties – including brands W Hotels, Sheraton Hotels & Resorts, Westin Hotels & Resorts and Le Méridien Hotel & Resorts – before September 10 2018.

It relates to a cyber incident that Marriott self-reported to the UK Information Commissioner’s Office in November 2018, which exposed about 339 million guest records globally.

According to the ensuing ICO investigation, the vulnerability began when the systems of the Starwood Hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.

The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

While 339 million records were compromised globally, it was for the loss of data from more 30 million EU customers – 7 million of whom were in the UK – that the ICO issued a notice of intent to fine the hotel chain £99m in July last year.

However, the legal wranglings with the ICO have now seen the final decision being delayed for an unprecedented fourth time, with Marriott recently securing yet another extension until September 30.

Nevertheless, Bryant, who is represented by leading disputes-only specialist law firm Hausfeld, is determined to have his day in court. His claim is being funded by Harbour Litigation Funding.

Bryant told the Guardian: “I hope this case will raise awareness of the value of our personal data, result in fair compensation … and also serve notice to other data owners that they must hold our data responsibly.”

Hausfeld partner Michael Bywell said Marriott had failed over several years “to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them. It is essential that all organisations take the utmost care and due diligence when applying relevant processes and procedures for good data hygiene”.

He added: “Cybersecurity is the responsibility of all within the organisation. Ongoing education and awareness amongst employees from the board down is critical to ensuring a layered approach of people, process and technology, and to preventing costly customer data breaches.”

Even so, despite numerous cases in the pipeline, including proposed action against British Airways, Virgin Media, EasyJet, Dixons Carphone, Ticketmaster, Yahoo, the Police Federation, T-Mobile, and even Watford Community Housing, the UK courts have yet to sanction a single penny in compensation for a data breach affecting British consumers.

In fact, in April this year, the Supreme Court ruled that Morrisons would not have to pay compensation to the 100,000 staff whose data was stolen and leaked by a disgruntled IT auditor, after it held that the retailer was not vicariously liable for his actions.

Meanwhile, Hayes Connor, the law firm which launched a £100m claim against Equifax in the UK for the estimated 15 million Brits who had been caught up in the credit reference company’s 2017 data breach, was forced to withdraw its action.

The Marriott action is likely to rely on the Court of Appeal’s decision on the Lloyd v Google “iPhone tracking” case on October 2 2019. Despite rejecting a payout in that case, the court ruled that a law firm could bring a claim for compensation for just one affected individual following a data breach and be awarded compensation for the entire affected population.

One industry source said: “So far, the courts have fiercely resisted sanctioning compensation payments for data loss or even financial or emotional damage resulting from such incidents. But surely it is only a matter of time before a case is successful; then the floodgates will open.”

The only reported case where compensation has been paid was in January this year when nearly 300 students from the University of East Anglia, whose personal details were emailed to their peers, received £142,512.16, which, if shared equally, would have totalled nearly £500 each. However, the money came from an insurance claim not a legal case.

Marriott International declined to comment on the High Court action.