British Airways – 8 July
BA is set to receive the largest fine ever imposed by the Information Commissioner’s Office. The ICO released a statement on 8 July of its intention to fine BA £183.39 million for infringements of the General Data Protection Regulation.
The fine, which chairman and chief executive of BA Alex Cruz was “surprised and disappointed” by, is the biggest fine handed out under data protection laws and the first to under the GDPR since it came into effect on 25 May 2018. Until now, the largest fine imposed was £500,000 against Facebook and Equifax (on separate incidents).
In June 2018, website users were diverted from the legitimate BA website to a fraudulent site. Around half a million individuals submitted their personal data to the attackers behind the fraudulent site. The ICO discovered in its investigation that a wide range of personal data was compromised, including names, addresses, log-in details, payment-card information and travel-booking details. BA notified the ICO of the incident on 6 September 2018, originally saying that the approximate number of affected transactions was 380,000.
As a result of the breach BA offered: (a) reimbursement of financial losses; (b) provision of a credit checking service; and (3) the payment of compensation for inconvenience and expense. BA has subsequently taken steps to improve its cybersecurity measures, but the damage had already been done. The ICO criticised the “poor security arrangements” that opened the door to the data breach. A key pillar of the GDPR is the security principle: this requires organisations to implement appropriate technical and organisation measures to ensure security (Article 32).
Elizabeth Denham of the ICO stated: “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” In fact, by announcing a fine of around 1.5% of BA’s worldwide turnover for 2018, Elizabeth Denham and her team at the ICO did not exercise its power to issue BA with the maximum fine, i.e. the higher of €20 million or 4% of worldwide turnover (GDPR, Article 83(5)). Still, the statement shows an intent from the ICO to flex its muscles and to enforce significant penalties on companies that do not look after individuals’ personal data.
BA has been given 28 days (from 8 July) to appeal this notice. The CEO of IAG, Willie Walsh, stated that: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.” More will follow, it seems.
Marriott International – 9 July
Following its intention to fine BA, the ICO announced its intention to fine Marriott International Inc. £99,200,396 for infringements of the GDPR. The proposed fine relates to a cyber incident that was notified to the ICO by Marriott in November 2018. The incident, which led to the exposure of personal details of about 339 million guests across the European Economic Area, was believed to date back as far as 2014, but was only discovered in 2018.
Although the original vulnerability began with the systems of the Starwood hotels in 2014, when Marriott acquired Starwood in 2016, the exposure of customer information was not discovered until 2018. Although Marriott was relatively quick in acting and notifying the ICO once the breach had been identified, there were considerable aggravating factors. The four-year gap between the exposure of the records and the discovery of the breach was an important one. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems. Of the proposed fine, Marriott’s president, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
Elizabeth Denham of the ICO stated: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
These notices of intent signal the end of any honeymoon period after the GDPR came into force. The incidents also serve as pointed reminders for any data controller to make sure that appropriate security arrangements are in place, tested and regularly updated, and for any acquirer to conduct thorough due diligence on data protection when making a corporate acquisition.