Short Reads

ICO to impose record-breaking fines for inadequate security measures and data breaches

ICO to impose record-breaking fines for inadequate security measures

ICO to impose record-breaking fines for inadequate security measures and data breaches

15.07.2019 EU law

Though the European data protection authorities have taken their time in enforcing the GDPR, two announcements by the ICO in the UK regarding proposed fines for British Airways and Marriott demonstrate that large fines are about to start landing regularly. Both of the substantial fines are to be handed out as a result of shortcomings in handling data breaches caused by cyber-attacks.

In both cases, the breaches were notified by the affected parties, who provided their cooperation with the ICO's investigation. In the Marriott case, the ICO also emphasises the importance of conducting appropriate due diligence investigations regarding data protection compliance in mergers and acquisitions. Finally, the threat of private mass damage claims as a result of GDPR violation is also rearing its head, which may result in companies being hit with substantial dual punishments for data breaches.

The British data protection authority, the Information Commissioner's Office ("ICO"), recently announced its intention to impose two record-breaking fines of GBP 183 million and GBP 99 million on British Airways and Marriott International respectively for breaches of data protection law. If imposed, these fines will become the largest to be levied under the General Data Protection Regulation ("GDPR") since its introduction in May 2018, surpassing the EUR 50 million fine imposed on Google by the French data protection authority earlier this year. As predicted, the 'regulatory warm-up phase' seems to have finished, and data protection authorities have now started to hand out considerable fines.

The reason for these provisional announcements by the ICO derives from in UK and US market abuse regulations. The incurrence of large fines can potentially affect the share price of the companies in question, and knowledge thereof can be used for insider trading. The final statement of the ICO is expected after due consideration of a final round representations by the parties involved. ICO stated that it "will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision."

Breaches of data protection law: what went wrong

As the announcements are still provisional, they are quite limited in details regarding the exact infractions that have led to the intention of the ICO to impose fines.

On 8 July 2019 the ICO announced its intention to impose a fine of GBP 183 million on British Airways. This provisional fine concerns British Airways' purportedly inadequate security measures, and a resulting data breach that is believed to have commenced in June 2018. The personal data of about 500,000 British Airway passengers were compromised when hackers managed to redirect visitors of the airline's website to a fraudulent copy of that website, from which the data were stolen. According to the ICO, the hacked data included "log in, payment card, and travel booking details as well name and address information". The ICO's enforcement action was initiated after British Airways notified it of a cyber incident in September 2018. British Airways has expressed its "surprise and disappointment" at the announced fine, and its intention to contest it.

A day later, on 9 July 2019, the ICO followed on from its previous notification with the  announcement  of its intention to impose a fine of GBP 99 million on Marriott International. This second provisional fine similarly concerns  inadequate security measures taken by Starwood Hotels, a company acquired by Marriott International in 2016, as well as an –ostensibly related - data breach. The personal data of about 30 million EU Marriott International guests were said to be compromised. According to Marriott International, the leaked data includes - among other things - names, post and email addresses, phone numbers, passport numbers, dates of birth, gender, and encrypted payment card numbers. This enforcement action of the ICO follows after Marriott International notified it of a cyber incident in November 2018. Like British Airways, Marriott International has expressed its "disappointment" at the announced fine, and its intention to contest it.

Breaches of data protection law: legal framework

Under the GDPR, a data controller must implement appropriate technical and organisational measures to ensure a level of security.[1] When deciding on and implementing security measures, a data controller must take into accounts its processing activities and the risks thereof, the state of the art, and the costs of implementation. Examples of security measures that may be considered appropriate depending on circumstances include encryption of personal data and adherence to an approved code of conduct, such sector-wide data protection protocols. These enforcement actions by the ICO stress the importance of adequate security measures.

The ICO found British Airways' security systems to be lacking substantially. This also follows from Information Commissioner Elizabeth Denham's statement on the matter:

"People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

In the Marriott case, the ICO argues that Marriott International should have conducted better due diligence before acquiring Starwood Hotels, which should have taken into account how Starwood Hotels protected personal data. Denham again stressed the importance of adequate data protection measures:

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

Regulatory enforcement: severe fines

The GDPR was introduced in the EU in May 2018, to much fanfare. It drastically increased the fines that could be levied for breaches of data protection law: a maximum fine of 4 % of an undertaking's global annual turnover can now be imposed. For instance, the provisional fine of GBP 183 million imposed on British Airways has been reported as constituting around 1,5 % of the airline's global turnover – meaning that the already record-breaking fine could in theory have been much higher. It took some time for the first significant fines to be announced under the GDPR.

It seems ICO has sought to set an example with its intention to impose record-breaking fines on two high-profile companies. Its message to all companies engaged in the processing of personal data is clear: get your information security in order, and continually reassess and update it. However, the regulator has set  the standard at an uncomfortably high level for most data controllers and processors. Both British Airways and Marriott International suffered data breaches caused by computer attacks, notified the ICO of the breach and made remediation efforts by improving their information security systems. Even the most secure companies can be victimised by sophisticated computer attacks,  which can be incidents beyond their reasonable control.

Considering these factors in mind, the proposed fines at first sight seem very severe. The result may be an adverse effect, whereby companies are discouraged from reporting data breaches – especially those caused by hacks and cyber-attacks – to the relevant data protection authorities because of the fear of incurring large fines. Where notification and sharing information about hacks and cyber-attacks can be of vital importance to the protection of personal data held by other data controllers and processors, such an effect would be detrimental for every organisation and citizen concerned.

Civil damages

In addition to the announced provisional fines, British Airways and Marriott International run the risk of civil damages claims. The GDPR explicitly allows data subjects to mandate a representative to exercise their right to claim damages, which in turn allows for claim organisations to process and litigate claims on behalf of many affected persons. The first effort to set up such a mass claim has already been put in place in respect of the British Airways case, and suggests a claim amount of GBP 200 per victim. Taken into account that the data breach compromised personal data of around 500.000 British Airways passengers, mass litigation could result in a damages claim of up to  GBP 100 million. Although British Airways may dispute the extent of the damages suffered from the data breach, even a low award per affected data subject easily adds up to a high total, due to the large amount of data subjects involved.. Thus, regulatory fines for data leaks involving many data subjects may well be followed by substantial civil damage claims.

Lastly, ICO has stated that it will consider representations from both British Airways and Marriott International, and all parties involved, such as the other EU data protection authorities it has consulted under the GDPR's 'one-stop-shop mechanism'. We await the final decision of the ICO and the full report thereto on the exact facts and findings regarding the alleged breaches of data protection law.

With thanks to Frederiek Fernhout and Jurriaan van Mil.


[1] Article 32 GDPR

Team

Related news

12.02.2020 NL law
Het oproepen en horen van getuigen in het bestuursrecht: hoe zit het ook al weer?

Short Reads - Het oproepen van getuigen en het horen daarvan ter zitting door de bestuursrechter heeft de Hoge Raad in zijn arrest van 15 november 2019 overzichtelijk in kaart gebracht. Dat arrest, dat door de belastingkamer in een bestuurlijke boetezaak is gewezen, is ook voor andere terreinen van het bestuursrecht van belang. Mede ook omdat het horen van getuigen buiten het fiscale bestuursrecht nog in de kinderschoenen staat. In dit bericht bespreken we daarom de mogelijkheden die er bestaan om getuigen te (laten) oproepen en hoe de bestuursrechter daarmee moet omgaan.

Read more

07.02.2020 BE law
Het finale Belgische ‘nationaal energie- en klimaatplan’ en de Belgische langetermijnstrategie: het geduld van de Commissie op de proef gesteld?

Articles - Op 31 december 2019 diende België, nog net op tijd, zijn definitieve nationaal energie- en klimaatplan (NEKP) in bij de Commissie. Het staat nu al vast dat het Belgische NEKP niet op applaus zal worden onthaald door de Commissie. Verder laat ook de Belgische langetermijnstrategie op zich wachten. Wat zijn de gevolgen?

Read more

12.02.2020 NL law
Omgevingsrecht en mobiliteit: hoe werkt het afwijken van parkeernormen in bestemmingsplannen?

Short Reads - Op grond van artikel 3.1.2, tweede lid, Bro kan een bestemmingsplan ten behoeve van een goede ruimtelijke ordening regels bevatten waarvan de uitleg bij de uitoefening van een daarbij aangegeven bevoegdheid afhankelijk wordt gesteld van beleidsregels. Van deze mogelijkheid maken gemeenteraden in hun bestemmingsplannen vaak gebruik als het gaat om parkeernormen

Read more

12.02.2020 NL law
Van inspraakverordening naar participatieverordening op decentraal niveau

Short Reads - De regering stelt voor om de reikwijdte van de decentrale inspraakverordeningen te vergroten naar de uitvoering en evaluatie van decentraal beleid. Dat staat in een conceptwetsvoorstel dat op 9 december 2019 ter internetconsultatie is voorgelegd. Het conceptwetsvoorstel beoogt een wijziging van onder meer de Gemeentewet, de Provinciewet en de Waterschapswet.

Read more

06.02.2020 NL law
Pay-for-delay: brightened lines between object and effect restrictions

Short Reads - In its first pay-for-delay case, the ECJ has clarified the criteria determining whether settlement agreements between a patent holder of a pharmaceutical product and a generic manufacturer may have as their object or effect to restrict EU competition law. The judgment confirms the General Court’s earlier rulings in Lundbeck and Servier (see our October 2016 and December 2018 newsletters) in which it was held that pay-for-delay agreements (in these cases) constituted a restriction ‘by object’.

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring