The UK’s data protection regulator, the Information Commissioners Office (ICO), has announced its intention to fine two companies record breaking amounts for breaches of the General Data Protection Regulation (GDPR). The ICO has given notice of its intention to fine British Airways (BA) £183.39 million and the Marriott Hotel Group £99.2 million. These fines are the first time that the ICO has made use of the powers that it was given when the GDPR came into force in May 2018 and are many times larger than the highest fine that the ICO levied under the previous legislation, where fines were capped at £500,000.
The BA data breach
In BA’s case the incident, which involved a malicious actor gaining access to personal data including email addresses, home addresses, customer names and payment card details, affected approximately 380,000 transactions, prompting the ICO to conduct an extensive investigation.
The data breach occurred sometime between 21 August and 5 September 2018 and is believed to have been the result of criminal hackers, as opposed to a breach of the airline’s encryption, according to Alex Cruz, BA’s Chief Executive. Nevertheless, the GDPR makes no exception for whether the breach was a result of a hack or a leak from inside, with Article 5(f) stating that personal data shall be processed ‘…in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’.
As BA handles, among other things, payment details and passport information on its customers, it can be argued that the risk here was significant, thus requiring a robust, state of the art cybersecurity system. However, it must be noted that the stolen data did not include passport details.
If you would like a full recap of the details of the incident and the General Data Protection Regulation’s (GDPR) tough stance on cybersecurity, our previous blog can be found here. However, the more recent, and arguably more notable news in the long-running saga is the announcement by the Information Commissioners Office (ICO) of the amount BA will be forced to pay.
Record breaking fine
Prior to the BA hack, the largest fine levied by the ICO was against Facebook for the Cambridge Analytica scandal in October 2018, which amounted to a (comparatively modest) £500,000, the previous maximum under the Data Protection Act 1998, the GDPR’s predecessor.
The proposed fine to be levied against BA is 367 times this amount, equivalent to 1.5% of BA’s worldwide turnover for the 2017 financial year. Although it must be noted that this is significantly less than the possible maximum of 4% of global annual turnover, which would have seen BA presented with a fine for £500 million. This is likely a result of BA’s cooperation with the ICO and subsequent improvements implemented in relation to their cybersecurity arrangements in an attempt to prevent future incidents of this nature from occurring. Nevertheless, both BA’s Chief Executive and Chairman, Alex Cruz, and the head of International Airline’s Group (BA’s parent company), Willie Walsh, have confirmed that BA intends to appeal the fine.
In addition to the BA fine, the ICO has also stated its intention to fine US hotel chain, Marriott Group, £99.2 million for an incident that involved the exposure of guest records relating to approximately 339 million guests, 30 million of which are residents of the European Union.
According to a statement published on the ICO website, the vulnerability that led to the data being exposed is believed to have started in 2014 in the systems of the Starwood Hotels Group which was later acquired by Marriott in 2016. However, the breach was not detected until 2018, at which point Starwood was under the control of Marriott, leading the ICO to conclude that Marriott had “failed to undertake sufficient due diligence when it bought Starwood”.
Whilst BA and Marriott are the first two organisations to be fined under the GDPR by the ICO, back in January, CNIL, the French equivalent of the ICO, levied a fine of €50 million against Google for infringing the requirements of the GDPR. Consequently, a trend of harsher fines for data protection breaches can clearly be seen emerging, providing a notable deterrent against breaches occurring going forward.
What happens to the money?
Contrary to popular belief the ICO does not actually get to keep the money from these fines but rather the money goes into the Consolidated Fund (the Treasury). It is therefore a healthy boost for central government finances.
Under Article 82 of the GDPR, individuals who have suffered material or non-material damage as a result of an infringement of the GDPR have the right to receive compensation from the controller or processor for damage suffered. This would need to take the form of a civil action brought by those that have suffered damage as a result of either BA or Marriott’s actions. While it is not clear how much any compensation might amount to, these decisions by the ICO would appear to have removed a significant hurdle from any would be claimant as it should now be possible to rely on the ICO’s findings, as evidence that there has been a breach of the GDPR. Without the ICOs findings it would have been down to the individual claimants to prove this themselves as a necessary ingredient of their claims.
Vigilance and security are key
Whilst the ICO is yet to use the full extent of its new powers against an organisation, the above two fines should be a stark reminder about the importance of becoming GDPR compliant and having robust data security systems in place. Moreover, for anyone considering, or involved in, an acquisition, due diligence regarding data and information security is something that simply cannot be overlooked.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.