The UK Information Commissioner’s Office (ICO) has recently handed down two of the largest fines relating to a data breach in UK history.
In August 2018, British Airways (BA) was subject to a cyberattack which breached the personal data of nearly 500,000 individuals, contravening the General Data Protection Regulation (GDPR). As Morgan Lewis reported in July 2019, the ICO initially filed a Notice of Intent to fine BA £183m ($227.5 million) – the equivalent of 1.5% of BA’s annual global turnover in 2017.
On July 9 2020, the ICO issued a further statement announcing a Notice of Intent to fine Marriott International, Inc. (Marriott) over £99m ($123.1 million) for a separate cyber incident of which Marriott notified the ICO in November 2018 and affected 339 million guest records.
On October 16 2020, the ICO fined BA £20m ($25.8 million) and two weeks later on October 30, 2020, the ICO fined Marriott £18.4m ($23.7 million). Although these represent a reduction of nearly 90% and 81%, respectively, of the originally proposed fines, the BA fine represents the largest fine imposed to date for breach of the GDPR.
The ICO has issued a Penalty Notice to BA and Marriott, in which it explained the reasoning for the penalty reductions. Both the GDPR and the Data Protection Act 2018 (DPA) require penalties to be “effective, proportionate and dissuasive;” penalties for noncompliance may be as high as 4% of a company’s annual global turnover.
In 2018, the ICO published a Regulatory Action Policy (which is currently under review), which enumerated the ICOs authority, aims of the GDPR, and a list of mitigating factors that companies may take to reduce their liability.
In quantifying the penalty in the Penalty Notices, the ICO considered the factors outlined in Article 83 GDPR and the Regulatory Action Policy. Due to the nature and severity of the breach, the ICO initially proposed a £30m fine as an appropriate starting point for BA, and £28m for Marriott.
The ICO then considered the remedial measures and representations made by each of BA and Marriott as mitigation factors, including the following:
- They had each cooperated with the ICO’s investigation
- They had each promptly notified the affected data subjects and appropriate regulatory bodies
- The breaches had a significant negative impact on brand and reputation
- Neither BA nor Marriott received any financial gain as a result of the breach
- Marriott acted quickly to mitigate the risk of damage suffered by its customers, including: (i) deploying real-time monitoring and forensic tools on 70,000 devices on the network; (ii) implementing password resets; (iii) disabling known compromised accounts; and (iv) implementing enhanced detection tools
The above factors contributed to the ICO reducing the proposed penalties by 20%, to £24m and £22.4m.
Finally, the ICO “ha[d] regard to the impact of the COVID-19 pandemic” on each of BA, Marriott and more generally, which led to a further reduction of £4m in each case.
While we are not seeing the mega-fines as we had initially expected, the ICO has in each case reduced the fine by 20% by demonstrating effective mitigations and remedial actions. Though this is not sufficient to suggest a pattern, it may give comfort to businesses that have invested heavily in cyber-breach planning.
Moreover, in the Penalty Notice issued to BA, the ICO highlighted a number of measures that could have been taken to mitigate, or even eliminate, the risk of a cyber-attacker accessing the network, including:
- limiting access to applications, data, and tools to only that which are required to fulfil a user’s role;
- undertaking rigorous testing, in the form of simulating a cyberattack, on the business’s systems; and
- protecting employee and third-party accounts with multifactor authentication.
This provides a clear indication of the kinds of steps the ICO would expect a business to take in order to mitigate against any future risk.
The ICO has in each case reduced the fine by a further £4m due to COVID-19 and its effect on the economy. On the basis of the economic consequences of COVID-19, the ICO noted that it is appropriate to reduce the penalty that would otherwise have been imposed. What is not clear is whether a £4m reduction will be applied consistently by the ICO, or whether this takes into account the significant losses suffered by the travel and leisure industry in particular.
Finally, it would appear that presenting well-considered mitigating arguments can have a significant impact on the value of any proposed penalty by the ICO. Businesses that are subject to a personal data breach should engage their legal representation early, not only to support the notification process, but also to consider and prepare any mitigating arguments that could serve to reduce any applicable fines under the GDPR.
What Happens Next?
Both BA and Marriott may now exercise their rights to appeal within 28 days to the First-Tier Tribunal of the General Regulatory Chamber. As of the date of publication of this Blog post, neither entity has filed an appeal.