In recent weeks you will have seen the high-profile press coverage of the Information Commissioner’s Office (ICO) announcement of its first potential fines under the GDPR enforcement regime. British Airways (BA) and Marriott International Inc. have been notified by the ICO that it intends to fine them £183.39m and £99.2m respectively.
The scale of these fines has put down a clear marker for data controllers and processors. However, while they are the biggest fines issued by an EU Data Protection Authority to date, as often happens post GDPR, the scale of fines is obscuring the full picture.
The ICO can impose fines of up to €20m or 4% of annual worldwide turnover for the preceding financial year, whichever is higher. The proposed £183.39m BA fine is 1.5% of its worldwide turnover for 2018. It concerns a cyber incident dating back to June 2018, which was reported by BA to the ICO in September 2018.
The incident involved visitors to the BA website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers, with personal data – including names and addresses, log in, payment card, and travel booking details – of approximately 500,000 customers being compromised.
The ICO’s fine was imposed because of BA’s alleged failure to implement appropriate security measures to protect its customer’s personal data. Of note is BA's statement that no evidence of any harm to the affected individuals has been found. This demonstrates that the ICO will take action on principle rather than based on evidence of harm.
The £99.2m fine which the ICO proposes imposing on Marriott relates to a cyber incident reported by Marriott to the ICO in November 2018. According to the ICO's statement, systems of Starwood Hotels Group were allegedly compromised in 2014, which was still undiscovered when Marriott acquired Starwood in 2016. The incident was not discovered until 2018.
Personal data contained in approximately 339 million guest records globally were allegedly exposed by the incident. 30 million related to EU residents, of which seven million related to UK residents.
The ICO believes that Marriott failed to undertake sufficient due diligence on data protection and compliance when it acquired Starwood and should also have done more to secure its systems. The potential fine shows the importance of conducting comprehensive due diligence in corporate mergers and acquisitions and ensuring that the vendor has complied with data protection law.
An indicator of what’s ahead?
These fines show the ICO is taking a strong stance against companies who fail to implement appropriate security measures to protect customer’s personal data, and is prepared to issue substantial fines where necessary.
The fines highlight the importance of companies ensuring that robust security measures are in place to protect personal data and undertaking appropriate due diligence in corporate mergers and acquisitions.
The concern is that historical issues prior to your ownership will not be excused. This could impact on some corporate transactions where the value in goodwill is not based on "clean" data, or the cost of after-the-fact compliance is too expensive in the context of the overall deal value.
The good news
It is noteworthy that the ICO’s Annual Report for March 2018-2019 indicates that in 82% of the personal data breaches assessed and closed over the past year, the ICO determined that no further action was required. This was on the basis that the organisation had appropriate measures in place or was taking steps to address the breach. Compliance was therefore the first penalty.
The ICO only required data controllers to take further action in 17% of cases. Less than 1% led to action beyond that, such as improvement action plans, further investigation audit visits, or civil monetary penalties being pursued. However, three major fines were issued by the ICO against Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) as a result of failures in cyber security.
It is important to note that in both ICO cases against BA and Marriott, these are not yet fines but rather intentions to fine. Each company still has the opportunity to present their arguments to the ICO and the views of other concerned data protection authorities will also be considered by the ICO before it reaches a final decision. Once a final decision is reached, it will be possible to understand the basis of the intended fine and will again reopen the debate about the insurability of fines.
These cases highlight how vital it is to ensure that appropriate security measures are in place. All organisations should revisit this issue internally, checking that all appropriate steps (including ensuring all available updates are installed) have been taken. Such actions could mitigate the risk of being exposed to a security incident and falling into the 1% of cases whether the ICO imposes a financial penalty.