The UK Information Commissioner’s Office (“ICO”), has flexed its muscles and announced its intention to issue fines rising above ₤ 275 million against two international businesses for losing the personal data they hold guarded from cyber-attacks under the European General Data Protection Regulation (“GDPR”).
On 8 July 2019, the ICO made known its intention to fine British Airways (“BA”) ₤ 183.39 million under the GDPR for a personal data breach it suffered in August 2018. The breach, called a “sophisticated, malicious criminal attack”, was initially disclosed by BA on 6 September 2018. Details of around 500,000 BA customers were endangered during the breach, which consisted of the diversion of user traffic from the BA website to a fraudulent website. The personal information compromised featured names, email addresses and payment card details used during the booking process. The ICO indicated that BA worked together with the ICO investigation and has made security improvements following the incident.
The penalty is reported to amount to about 1.5% of the global annual turnover of BA in 2017 and is the highest fine issued until now by a European Union data protection supervisory authority for a personal data breach under the GDPR.
On 9 July 2019, the ICO declared its intention to fine Marriott International, Inc. (“Marriott”) ₤ 99.2 million under the GDPR for a personal data breach that occurred in relation to the Starwood guest reservation database system. The breach is believed to have started when Starwood hotels systems were affected by a cyber-attack in 2014. The breach was discovered and notified to the ICO in November 2018, two years after Starwood’s acquisition by Marriott. Personal data contained in over 330 million guest records were exposed due to the occurrence. About 30 million records of individuals from over 30 countries in the European Economic Area (EEA). Roughly 7 million records related to individuals located in the UK. The ICO determined that Marriott should have taken extra steps to review and secure the IT infrastructure used by Starwood. The ICO noted that Marriott had worked together with the investigation conducted by the ICO and had improved its security practices since the incident.
The GDPR established two tiers of penalties that could be issued by European data protection supervisory authorities; the standard maximum and the higher maximum. The standard maximum allows for a fine equivalent to the greater of 10 million Euros or 2% of total annual worldwide turnover in the preceding fiscal year of the relevant undertaking for a violation of certain provisions, whereas the higher maximum permits the greater of 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year of the relevant undertaking for a violation of more serious provisions, including data protection principles or data subjects’ rights.
The penalties issued to BA and Marriott fall beneath both of these thresholds, which may reflect BA and Marriott’s cooperation with the ICO investigation and also those organisations have made enhancements to its security practices since the incidents were found. Both organisations have 28 days to make further representations to the ICO about the calculation of the fine before the ICO makes its final decision. The ICO has said that it will carefully consider any representations made by them and the other European data protection authorities before it takes its final determination.
In both cases, the focus of the ICO’s statements of intent seems to be on the security failures that led to the breach occurring, instead of necessarily going on the types and sensitivity of personal data impacted. The ICO also concentrated on the responsibility to conduct an appropriate due diligence process into the IT security and data protection practices of a future target of any M&A activity where that target is subject to the GDPR. No matter how breaches happen, it is clear that the ICO is taking security breaches very seriously and these events should provide a strong reminder to companies to get their house in order to follow the security and other obligations under the GDPR, which involves businesses both in Europe and away from Europe. Being the first two fines it has issued under GDPR for a personal data breach, the ICO in particular may possibly be approaching these episodes as an opportunity to “set out its stall” regarding future enforcement action, with its eye on setting the standard of compliance in the UK in a post-Brexit environment.
If you need your systems and controls checked with view to GDPR and FCA Compliance, Contact us now!
0207 097 1434