Earlier this month the UK’s data protection regulator – the Information Commissioner’s Office (ICO) – hit the headlines by announcing its intention to impose £283m in total in fines in quick succession.
First, British Airways (£183.39m) then Marriott International (£99.2m) – both due to cyber/IT security incidents where customer personal data was compromised.
Since 25 May 2018 when the General Data Protection Regulation (GDPR) came into effect data protection experts have been anxiously waiting to see what fines the ICO would levy under the GDPR . The ICO now has the power to potentially levy fines of the greater of Euro 20m or 4% of group worldwide turnover – far above the previous cap of £500,000. And now we have two whopping intended fines. Yet a sense of perspective is needed.
Firstly, such fines are only “intended” fines at this stage – the ICO may reduce them after hearing representations from the companies concerned.
Secondly, whilst we don’t yet have the full rationale for the fines it seems reasonable to assume that the fines will be higher than the fines the ICO itself would impose just in the UK. This is because in these two cases the ICO is acting as the “lead supervisory authority” under the GDPR and so is representing the interests of other EU/EEA data protection authorities as well.
Thirdly, these appear to be very serious incidents at large corporates involving significant numbers of customers and taking place over an extended period of time with the risk of serious prejudice to those affected – so the fines were always going to be significant.
In Marriott International’s case the problem arose due to IT systems that were originally part of the Starwood hotels group acquired by Marriott in 2016. It took Marriott until 2018 to discover the incident (which had its origins in a 2014 compromise of Starwood’s systems) and the ICO found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
In BA’s case the cyber incident was notified to the ICO by BA in September 2018. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. The ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information.
Nevertheless, the days of a £500,000 cap on data protection fines are now well and truly over. Also it’s not just fines that should concentrate the mind – there’s the reputational damage, the legal and administrative costs in dealing with the matter and perhaps most ominously the threat of class action data breach lawsuits on behalf of affected data subjects. If significant numbers of data subjects are affected the claims here can easily outstrip the level of any fines.
Implications for business
As we await to see how these two cases proceed some initial conclusions can be drawn.
Don’t assume you can pass the blame onto others: the fact you’ve suffered a cyber/IT security incident caused by the criminal behaviour of others (as it appears Marriott and BA did) doesn’t necessarily get you off the hook – did you put in place appropriate procedures to help prevent, detect and then swiftly respond to and contain such an attack? – if you failed in your duty of care you will have to face the consequences. Businesses need to take IT security very seriously and to embed this into how employees behave as well – frequently human error or worse will be responsible, not necessarily just a technical failure.
Respond immediately: If you are affected by a cyber or other “personal data breach” contact the ICO immediately where the law requires this (any breach of any substance will inevitably require this). Ensure you promptly assess the risk to those individuals affected and notify them as well where the law requires this or where it is sensible to do so (e.g. to mitigate damage to those involved) and provide full cooperation to the ICO throughout. Take immediate steps to contain and then stop the incident. This will also help in mitigation of any fine.
Buyer beware: If you acquire another business you need to carry out robust GDPR and IT security due diligence to ensure you do not inherit a problem.
Don’t neglect compliance: take GDPR compliance seriously, be prepared for the worst and ensure you have appropriate technical and organisational security measures in place to ensure a level of security appropriate to the risk, and regularly test the measures in place.
Review or take out appropriate insurance cover: this is not a panacea but there are an increasing number of products available.
Learn from your mistakes:it is likely most businesses will suffer some sort of personal data breach or cyber/IT security incident at some point – not necessarily major. It is imperative to learn from the experience and prevent a repeat.