In the past two days, the UK Information Commissioner’s Office (ICO) has issued (potential) GDPR fines of £183.39m and £99.2m on British Airways (BA) and Marriott International Inc., respectively. These are the first fines to be issued by the ICO under the GDPR, and the biggest fines issued by an EU Data Protection Authority (DPA) to date. As the fines affected individuals in multiple Member States, the ‘one stop shop’ provisions in the GDPR apply, and the ICO has therefore been required to liaise with other EU DPAs.
The fines highlight the importance of companies ensuring that robust security measures are in place to protect personal data and undertaking appropriate due diligence in corporate mergers and acquisitions. As the EU DPAs are encouraged to adopt a consistent approach to the imposition of administrative fines, the ICO’s fines serve as a warning to companies of the level of GDPR fines that may be imposed by the Irish Data Protection Commission for data breaches resulting from weak security measures.
The ICO does not routinely publish notices of intent to levy a penalty, however the ICO’s policy on “Communicating Regulatory Enforcement Activity” states that such notices may be published in certain circumstances, including where the matter is already in the public domain; there are financial market reporting obligations; or it is necessary for international regulatory cooperation. The ICO statements of intent to fine BA and Marriott were issued in response to an announcement by BA to the London Stock Exchange, and a filing by Marriott with the US Securities and Exchange Commission, that the ICO intended to fine them for breaches of data protection law.
(i) BA Fine
The £183.39m fine which the ICO proposes to impose on BA concerns a cyber incident that is believed to have begun in June 2018, and was reported by BA to the ICO in September 2018. The incident involved user traffic to the BA website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. As a result, personal data, including names and addresses, as well as log in, payment card, and travel booking details of approximately 500,000 customers were compromised. The ICO’s fine was imposed as a result of BA’s alleged failure to implement appropriate security measures to protect its customer’s personal data. The fine constitutes 1.5% of BA’s worldwide turnover for 2017. Under the GDPR, EU DPAs have the power to impose fines of up to €20m or up to 4% of annual worldwide turnover for the preceding financial year, whichever is higher.
(ii) Marriott Fine
The £99.2 fine which the ICO proposes to impose on Marriott relates to a cyber incident which was notified by Marriott to the ICO in November 2018. The personal data breach involved approximately 339 million guest records globally, of which around 30 million related to residents of 31 countries in the EEA. The breach is believed to have begun in 2014, when the guest reservation database of the Starwood Hotels group was compromised. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO believes that Marriott failed to undertake sufficient due diligence when it acquired Starwood and should also have done more to secure its systems. The potential fine shows the importance of purchasers conducting comprehensive due diligence in corporate mergers and acquisitions for the purpose of ensuring the vendor has complied with data protection law and, in particular, that robust security measures have been put in place to protect the personal data that is being acquired. In addition, purchasers should have due regard to these issues in the negotiation of warranty and liability provisions in the acquisition documentation (including any permitted knowledge qualifications).
An indicator of what’s ahead?
These fines show the ICO is taking a strong stance against companies who fail to implement appropriate security measures to protect customer’s personal data, and is prepared to issue substantial fines where necessary. However, it is noteworthy that the ICO’s Annual Report for March 2018-2019, which was published today, indicates that in 82% of the personal data breaches assessed and closed over the past year, the ICO determined that no further action was required, on the basis that the organisation had appropriate measures in place or was taking steps to address the breach. The ICO only required data controllers to take further action in 17% of cases. Less than 1% led to action beyond that, such as improvement action plans, further investigation audit visits, or civil monetary penalties being pursued. Though three major fines were issued by the ICO against Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) as a result of failures in cyber security.
BA and Marriott now have an opportunity to make representations to the ICO about the imposition of these potential fines. The ICO will also have regard to representations from other concerned EU DPAs whose residents have been affected by the breach, before it makes its final decision as to the level of fine to impose. Both BA and Marriott have announced their intention to respond to the ICO and to “vigorously” defend their position.