I think you mean profit, not revenue. 99 million is enough for them to alter their behavior and for heads to roll without putting themat a strategic disadvantage in the market.

Fines need to be significant relative to revenue, not profit. Otherwise, they become a “cost of doing business.” A punishment isn’t a punishment unless it hurts.

Doesn't this just affect low margin businesses more then?

Should management of personal information be standard or offered at premium?

I'm not sure what your question is getting at, but if I owned a business, a fine proportional to the profit that I would otherwise receive would hurt equally for a low margin business and a high margin business.

That’s the point: if you can’t profit off my personal data while simultaneously protecting it as a “low margin,” your business doesn’t need to exist. Fines relative to revenue hurt every business a lot, which is how it should be. A massive data breach should be cause for going out of business, not “oh, we’re taking X% of your profits this year, but we totally trust you to do better next year.”

I don't agree with your point at all. A high margin business should then be able to get away with massive data breaches compared to a low margin business going bust? It's not about fairness, it's about actually achieving your goals.

I am ok with it being below maximum for now. They should start to increase the fines little by little and the big corps will caught on and start to treat the security with more respect.

I'd imagine that Marriott self-reporting and cooperating with the ICO investigation can only help RE leniency.

If Marriot are caught again they can expect a far larger fine.

The board should be planning some proper security. A £50m capital budget and £5m a year revenue should be good enough.

Or they could set up an insurance fund for that kind of fine for similar money, and eventually that fund would be less expensive.

After all, you don't have such a leak every other week.

If they make no attempt to improve their security I suspect the next incident will cost them $800m. Be interesting to see who will insure them against that.

When the parent comment said "they could set up an insurance fund", I believe they didn't mean a literal contract with an insurance company, but a straight up savings fund set up by Marriott to be used in the future specifically for expenses like that.

That's still self insurance, and it's still going to hit them for $800m next time they have a leak.

Will have to be a big fund.

Of course. My comment was mostly directed towards the "interesting to see who will insure them against that" part.

On the bright side, the overall regulatory effects of this decision are much larger, as it sets a precedent for future acquisitions (by any company, not just Marriott).

The are two tiers, 2% and 4%.

If this is under the 2% then it's 25% of the max for that tier.

In either case explaining 99 million quid to the board isn't a conversation you'd want to have.

> Marriott's 2018 revenue was $20 Billion

What's your source for that? Marriott International only reported $5.2B in 2018[1].

[1] https://finance.yahoo.com/quote/MAR/financials?p=MAR

That's still going to hurt a lot.

It's about 3 weeks profit

You have to look at it from the perspective of the CEO and C Suite. For them they likely don't really care about harm done to whoever had their data compromised, but what they do care about is their bonus. They likely have detailed bonus tiers and if this fine reduces their bonus and incentives then it is likely that change will occur. In many / most large companies, C-Suite pay and the bonus structure is the major driver of all corporate decisions.

For an example, just look at the recent US corp. tax cut. One time bonus to employees and then repurchase of company stock to boost the share price and in turn boost executive level rewards.

3 week profit is a lot. I'd have a hard time imagining my boss telling me that the next three weeks, every employee's entire profit outcome will solely be dedicated to paying off a fine and that would be acceptable.

Well obviously, doing 75 in a 70 means you endanger the lives of yourself and those around recklessly and without proper reason (being an Ambulance is a good reason).

Endangering Lives of others for no damn reason other than wanting to be home 3 seconds earlier > Loosing customer records

> Well obviously, doing 75 in a 70 means you endanger the lives of yourself and those around recklessly

Bollocks. If 75 was so dangerous then 70 is also dangerous.

Is there a US fine in the pipeline too? Only a tenth of the data lost was from EU nationals.

Does the US have laws against this type of negligence?

I'm sure some states do. California perhaps?