The UK Information Commissioner’s Office (“ICO“), a European data protection supervisory authority, has flexed its muscles and has announced its intention to issue fines exceeding £275 million against two international businesses for failing to keep the personal data they hold secure from cyber-attacks under the European General Data Protection Regulation (“GDPR“).
On 8 July 2019, the ICO announced its intention to fine British Airways (“BA”) £183.39 million under the GDPR for a personal data breach it suffered in August 2018. The breach, described as a “sophisticated, malicious criminal attack”, was first disclosed by BA on 6 September 2018. Details of approximately 500,000 BA customers were compromised during the breach, which involved the diversion of user traffic from the BA website to a fraudulent website. The personal information compromised included names, email addresses and payment card details used during the booking process. The ICO indicated that BA cooperated with the ICO investigation and has made security improvements following the incident.
The penalty is reported to amount to about 1.5% of the global annual turnover of BA in 2017 and is the highest fine issued so far by a European Union data protection supervisory authority for a personal data breach under the GDPR.
On 9 July 2019, the ICO announced its intention to fine Marriott International, Inc. (“Marriott”) £99.2 million under the GDPR for a personal data breach that occurred in relation to the Starwood guest reservation database system. The breach is believed to have started when Starwood hotels systems were affected by a cyber-attack in 2014. The breach was uncovered and notified to the ICO in November 2018, two years after Starwood's acquisition by Marriott. Personal data contained in over 330 million guest records were exposed by the incident. About 30 million records related to individuals from over 30 countries in the European Economic Area (EEA). Approximately 7 million records related to individuals located in the UK. The ICO determined that Marriott should have taken additional steps to review and secure the IT infrastructure used by Starwood. The ICO noted that Marriott had cooperated with the investigation conducted by the ICO and had improved its security practices since the incident.
The GDPR established two tiers of penalties that can be issued by European data protection supervisory authorities; the standard maximum and the higher maximum. The standard maximum allows for a fine equal to the greater of 10 million Euros or 2% of total annual worldwide turnover in the preceding financial year of the relevant undertaking for a violation of certain provisions, whereas the higher maximum allows for the greater of 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year of the relevant undertaking for a violation of more serious provisions, including data protection principles or data subjects’ rights.
The penalties issued to BA and Marriott fall below both of these thresholds, which may reflect BA and Marriott’s cooperation with the ICO investigation and that those organizations have made improvements to its security practices since the incidents were discovered. Both organizations have 28 days to make further representations to the ICO about the calculation of the fine before the ICO makes its final decision. The ICO has said that it will carefully consider any representations made by them and the other European data protection authorities before it takes its final determination.
In both cases, the focus of the ICO’s statements of intent seems to be on the security failures that led to the breach occurring, rather than necessarily being on the types and sensitivity of personal data affected. The ICO also focused on the requirement to conduct an appropriate due diligence process into the IT security and data protection practices of a future target of any M&A activity where that target is subject to the GDPR. No matter how breaches happen, it is clear that the ICO is taking security breaches very seriously and these events should serve as a strong reminder to companies to get their house in order in order to comply with the security and other obligations under the GDPR, which applies to businesses both in Europe and outside of Europe. Being the first two fines it has issued under GDPR for a personal data breach, the ICO in particular could be approaching these episodes as an opportunity to “set out its stall” with respect to future enforcement action, with its eye on setting the standard of compliance in the UK in a post-Brexit environment.
For further details on these fines please see: