Though the European data protection authorities have taken their time in enforcing the GDPR, two announcements by the ICO in the UK regarding proposed fines for British Airways and Marriott demonstrate that large fines are about to start landing regularly. Both of the substantial fines are to be handed out as a result of shortcomings in handling data breaches caused by cyber-attacks.
In both cases, the breaches were notified by the affected parties, who provided their cooperation with the ICO's investigation. In the Marriott case, the ICO also emphasises the importance of conducting appropriate due diligence investigations regarding data protection compliance in mergers and acquisitions. Finally, the threat of private mass damage claims as a result of GDPR violation is also rearing its head, which may result in companies being hit with substantial dual punishments for data breaches.
The British data protection authority, the Information Commissioner's Office ("ICO"), recently announced its intention to impose two record-breaking fines of GBP 183 million and GBP 99 million on British Airways and Marriott International respectively for breaches of data protection law. If imposed, these fines will become the largest to be levied under the General Data Protection Regulation ("GDPR") since its introduction in May 2018, surpassing the EUR 50 million fine imposed on Google by the French data protection authority earlier this year. As predicted, the 'regulatory warm-up phase' seems to have finished, and data protection authorities have now started to hand out considerable fines.
The reason for these provisional announcements by the ICO derives from in UK and US market abuse regulations. The incurrence of large fines can potentially affect the share price of the companies in question, and knowledge thereof can be used for insider trading. The final statement of the ICO is expected after due consideration of a final round representations by the parties involved. ICO stated that it "will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision."
Breaches of data protection law: what went wrong
As the announcements are still provisional, they are quite limited in details regarding the exact infractions that have led to the intention of the ICO to impose fines.
On 8 July 2019 the ICO announced its intention to impose a fine of GBP 183 million on British Airways. This provisional fine concerns British Airways' purportedly inadequate security measures, and a resulting data breach that is believed to have commenced in June 2018. The personal data of about 500,000 British Airway passengers were compromised when hackers managed to redirect visitors of the airline's website to a fraudulent copy of that website, from which the data were stolen. According to the ICO, the hacked data included "log in, payment card, and travel booking details as well name and address information". The ICO's enforcement action was initiated after British Airways notified it of a cyber incident in September 2018. British Airways has expressed its "surprise and disappointment" at the announced fine, and its intention to contest it.
A day later, on 9 July 2019, the ICO followed on from its previous notification with the announcement of its intention to impose a fine of GBP 99 million on Marriott International. This second provisional fine similarly concerns inadequate security measures taken by Starwood Hotels, a company acquired by Marriott International in 2016, as well as an –ostensibly related - data breach. The personal data of about 30 million EU Marriott International guests were said to be compromised. According to Marriott International, the leaked data includes - among other things - names, post and email addresses, phone numbers, passport numbers, dates of birth, gender, and encrypted payment card numbers. This enforcement action of the ICO follows after Marriott International notified it of a cyber incident in November 2018. Like British Airways, Marriott International has expressed its "disappointment" at the announced fine, and its intention to contest it.
Breaches of data protection law: legal framework
Under the GDPR, a data controller must implement appropriate technical and organisational measures to ensure a level of security. When deciding on and implementing security measures, a data controller must take into accounts its processing activities and the risks thereof, the state of the art, and the costs of implementation. Examples of security measures that may be considered appropriate depending on circumstances include encryption of personal data and adherence to an approved code of conduct, such sector-wide data protection protocols. These enforcement actions by the ICO stress the importance of adequate security measures.
The ICO found British Airways' security systems to be lacking substantially. This also follows from Information Commissioner Elizabeth Denham's statement on the matter:
"People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
In the Marriott case, the ICO argues that Marriott International should have conducted better due diligence before acquiring Starwood Hotels, which should have taken into account how Starwood Hotels protected personal data. Denham again stressed the importance of adequate data protection measures:
"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
Regulatory enforcement: severe fines
The GDPR was introduced in the EU in May 2018, to much fanfare. It drastically increased the fines that could be levied for breaches of data protection law: a maximum fine of 4 % of an undertaking's global annual turnover can now be imposed. For instance, the provisional fine of GBP 183 million imposed on British Airways has been reported as constituting around 1,5 % of the airline's global turnover – meaning that the already record-breaking fine could in theory have been much higher. It took some time for the first significant fines to be announced under the GDPR.
It seems ICO has sought to set an example with its intention to impose record-breaking fines on two high-profile companies. Its message to all companies engaged in the processing of personal data is clear: get your information security in order, and continually reassess and update it. However, the regulator has set the standard at an uncomfortably high level for most data controllers and processors. Both British Airways and Marriott International suffered data breaches caused by computer attacks, notified the ICO of the breach and made remediation efforts by improving their information security systems. Even the most secure companies can be victimised by sophisticated computer attacks, which can be incidents beyond their reasonable control.
Considering these factors in mind, the proposed fines at first sight seem very severe. The result may be an adverse effect, whereby companies are discouraged from reporting data breaches – especially those caused by hacks and cyber-attacks – to the relevant data protection authorities because of the fear of incurring large fines. Where notification and sharing information about hacks and cyber-attacks can be of vital importance to the protection of personal data held by other data controllers and processors, such an effect would be detrimental for every organisation and citizen concerned.
In addition to the announced provisional fines, British Airways and Marriott International run the risk of civil damages claims. The GDPR explicitly allows data subjects to mandate a representative to exercise their right to claim damages, which in turn allows for claim organisations to process and litigate claims on behalf of many affected persons. The first effort to set up such a mass claim has already been put in place in respect of the British Airways case, and suggests a claim amount of GBP 200 per victim. Taken into account that the data breach compromised personal data of around 500.000 British Airways passengers, mass litigation could result in a damages claim of up to GBP 100 million. Although British Airways may dispute the extent of the damages suffered from the data breach, even a low award per affected data subject easily adds up to a high total, due to the large amount of data subjects involved.. Thus, regulatory fines for data leaks involving many data subjects may well be followed by substantial civil damage claims.
Lastly, ICO has stated that it will consider representations from both British Airways and Marriott International, and all parties involved, such as the other EU data protection authorities it has consulted under the GDPR's 'one-stop-shop mechanism'. We await the final decision of the ICO and the full report thereto on the exact facts and findings regarding the alleged breaches of data protection law.
With thanks to Frederiek Fernhout and Jurriaan van Mil.