07 January, 2020
Over the last month we have seen the Information Commissioner's Office (ICO) give notice of its' intention to implement the first major fines under the new higher limits provided for under GDPR.
Firstly, on 8th July British Airways (BA) was issued a notice by the ICO regarding its intention to fine the airline £183.39 million for violation of the General Data Protection Regulation (EU) 2016/679 (the GDPR).
The violation in question relates to a cyber-attack suffered by BA starting in June 2018. By September 2018, the airline informed the ICO that it had become aware that customer and user traffic from its own website had been fraudulently diverted to a fake site set up by the attackers. Through this method, around 500,000 customer details were breached, including payment information, names, addresses and travel details.
After a significant investigation, the ICO has reported in their findings that BA's poor security procedures directly led to the breach being able to occur. BA has stated that it cooperated with the ICO investigation, implementing numerous changes and improvements to its security systems in response to the attack.
The total fine of £183,390,000 equates to 1.5% of BA's global turnover for the year ending 31 December 2017. This falls short of the maximum fine that the ICO could have issued, 4% of global turnover, however the scale of the fine should be seen as reflective of not only the size of BA itself, but the magnitude of the failings found by the ICO.
Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
In response to the ICO notice the chief executive of BA parent organisation the International Airlines Group (IAG), Willie Walsh, stated the airline would discuss the decision with the ICO and potentially lodge an appeal. The ICO itself has confirmed that it will consider carefully BA's representations, as well as representations from other concerned data protection authorities before it takes its final decision.
There remains the chance that a class action may be pursued by the victims of the attack themselves against BA, however the airline is adamant that no fraud or fraudulent activity has been linked to the affected accounts as a result of the breach.
Immediately after the announcement of their intention to fine BA, on 9th July the ICO announced that it intended to fine Marriott International, Inc more than £99 milllion for breaches of the GDPR.
The ICO confirmed that it has conducted an investigation into Marriot International following a cyber security incident. It is understood that there was a hack of around 30 million guest records, including credit card details, passport numbers and dates of birth. The guest records contained details of guests in 31 different countries in the European Economic Area (EEA) and around 7 million of those related to residents in the UK. The ICO has stated that the cyber security incident appeared to begin when the systems of the Starwood hotels group were compromised in 2014.
Marriot International then acquired the Starwood hotels group in 2016 but the hack of guest records was not discovered until last year. The announcement from the ICO stated that Marriot International had failed to undertake sufficient due diligence when it acquired Starwood hotels group and should have done more to make sure its IT systems were secure.
Marriot International will now have the opportunity to make representations to the ICO as to the findings of the investigation and the proposed level of fine. The ICO has conducted the investigation alongside other European supervisory authorities whose residents have been affected by the breach and they will also have the opportunity to make representations to the ICO about its findings.
Once the ICO has considered the representations made by Marriott International and the other EU supervisory authorities, it will publish a notice of the fine along with an explanation as to how that figure has been reached. The level of fine will take into account how Marriott International responded to the breach when they were notified and its cooperation with the ICO.
This proposed fines set out above are clear evidence of the ICO flexing its new powers under the GDPR, with it now able to levy fines far higher (up to 4% of global turnover) than the previous £500,000 cap. With that in mind, it is important to remember that the majority of organisations handling personal data would face fines far lower for breaching data protection regulations.
As stated above, fines are relative to the size of the organisation and the scale of the breach (number of individuals involved, types of data breached etc.) therefore this news should not cause undue distress for those looking to ensure their GDPR compliance.
For more information contact Daniel Milnes in our Governance, Procurement & Information department via email or phone on 01254 222313. Alternatively send any question through to Forbes Solicitors via our online Contact Form.