On 16 October the UK’s Information Commissioners Office (“the ICO”) confirmed it had imposed a fine of £20million (€22 million) on British Airways (“BA”) for processing personal data without having adequate security measures in place and leaving the personal details of more than 400,000 of its customers vulnerable to a cyber-attack which went undetected for two months in 2018. The fine is a dramatic reduction from the ICO’s initially proposed fine of £183 million.
Separately, on 30 October, the ICO confirmed it had imposed a fine of £18.4million (€20 million) on the US hotel group Marriott International Inc. for security issues which resulted in it failing to keep millions of its customers’ personal data secure, in a breach that affected more than 339 million guest records worldwide. The penalty represents a sum of less than 20 percent of the original sum proposed by the ICO, in the amount of £99m.
The BA case
The ICO’s initial BA fine of £183 million was the result of a two-year investigation by the ICO, as the lead supervisory authority on behalf of other EU member state data protection authorities, into a cyber-attack on BA’s customers. The incident involved users of the BA website being diverted to a fraudulent site where customers’ personal and financial details were harvested by attackers.
The ICO noted multiple measures that BA could have carried out to mitigate or prevent the risk of the cyber-attack, including mutli-factor authentication, more rigorous testing (through cyber-attack simulation), and more robust access control measures.
After the ICO carefully considered representations made by BA, the response to the breach by BA and the economic impact of COVID-19 on the company, the ICO heavily discounted the initially proposed penalty. BA welcomed the reduction with a spokesperson saying that “We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”
The Marriott case
In the Marriott case, the attacker installed a piece of code known as “web shell” on to a device in the Starwood Hotel system allowing them to access further devices on the Starwood network and compromise the security of millions of guests’ personal data.
It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.
From a corporate transaction perspective, the comments of the UK’s Information Commissioner in 2019 are worthy of note: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”.
In the Marriott case, the principal failings on the part of Marriott under the GDPR (Articles 5 (1) (f) and 32) from a security perspective were (i) insufficient monitoring of privileged accounts; (ii) insufficient monitoring of databases; (iii) lack of control of critical systems; and (iv) encryption failings.
In its determination, the ICO acknowledged that Marriott had acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers and has since implemented a number of measures to improve the security of its systems since the events came to light.
Separate to the ICO penalty notice, (and while there doesn’t seem to by any evidence of attackers using the data (yet)) there is a class action underway in the English courts by data subjects seeking unspecified damages due to the loss of control of their personal data.
Fines in context
Due to the ICO’s reduction of fines initially proposed against BA and Marriott, the highest fine imposed to date under the GDPR remains that imposed by CNIL, the French regulatory body, who famously issued Google with a €50 million fine for data breaches relating to lack of transparency, unsatisfactory information and lack of consent for ads personalisation.
The second highest fine was only recently imposed by the German Data Protection Commissioner on German clothing giant H&M who were issued with a €35 million fine for insufficient legal basis for data processing, while the third highest fine lies with the Italian telecom TIM who were fined €27 million, also for insufficient legal basis for data processing.
In both cases, the fines imposed are a dramatic reduction when compared against those initially proposed by the ICO and there is little in the penalty notices to reconcile the amounts. Instead, it would appear that new fine amounts were arrived at by the ICO, taking into account the factors laid down in Article 83 of the GDPR in assessing fine amounts, plus the ICO’s Regulatory Action Policy. From there, discounts were applied by the ICO to address certain mitigating factors and the COVID-19 pandemic.
Both BA and Marriott operate in the tourism industry which is among the hardest hit by COVID-19. It is clear from the penalty notices that the ICO took the financial impact of COVID-19 of both into consideration when making its final determinations and applied discounts. In the BA case, the ICO arrived at a fine of £30m and then discounted this by £10m (£6m of which was attributable to the mitigating factors including BA’s response to the breach to minimise damage, and £4m of a discount in recognition of the financial hardship brought about by the pandemic).
In the Marriott case, the ICO arrived at a fine of £28m which it reduced by an amount of £5.6m to £22.4m (i.e. a discount of 20%, being the same percentage discount applied in the BA case). The ICO then applied a further discount of £4m (the same amount as in the BA case) in recognition of the effects of the pandemic, resulting in a final penalty of £18.4m.
Readers will be familiar with the higher level of fines that may be applied under the GDPR, i.e. up to 4% of total worldwide turnover or €20m, whichever is higher. In both cases, this level of fine was technically possible, but in fact the fines imposed represented amounts of considerably less than 1% of worldwide turnover. The ICO in commenting on the level of fine imposed made reference to the global turnover amounts of each of BA (£12.2bn) and Marriott ($5bn), noting that the level of fine imposed fell short of what technically could have been imposed. That being said, it serves as a chilling reminder for businesses operating globally that regulators will review and assess fines based not on turnover of a local branch or company, or indeed turnover within the EU alone, but rather, on their worldwide turnover.
While the discounts applied in light of the pandemic are noteworthy, the largest discounts applied were on the basis of the mitigating factors and representations made by each company. This sends a clear signal to businesses – that it is critical to implement adequate security measures and in the event of a breach, be prepared to respond appropriately, engage with data subjects, take steps to minimise the effects of a breach, and cooperate fully with the relevant regulatory bodies. These are key factors which can mitigate the prospect (and/or reduce the size) of a large penalty under the GDPR.
Notwithstanding the reductions to the originally proposed fines in both cases and the discounts applied in the ICO penalty notices, the BA fine remains the highest fine issued to date by the ICO with the Information Commissioner Elizabeth Denham commenting that “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date”.
Article written with the assistance of Deirdre Brannigan.