In response to today's coverage, a spokesperson at Anthony Collins Solicitors said:
On Monday 8 July, news broke of the staggering fine of more than £183million the Information Commissioner’s Office (ICO) intended to levy against British Airways (BA) as a result of a hack that took place last summer, compromising the personal data of 500,000 of the airline's customers.
Hot on its heels, another confidential intention to fine Marriott International (Marriott) hit the press for their belated discovery of a hacking incident dating back to 2014, affecting the personal data of 383 million hotel guests globally – at least 30 million of whom were resident in the European Economic Area (EEA). Both breaches concerned, amongst other information, payment card details and, in Marriott’s case, passport information.
Why it might have happened
Whilst there is widespread speculation about the noteworthy size of these proposed fines, the truth is that we have very little available in the public domain explaining the ICO’s rationale. The intention to serve a fine is generally confidential but was made public by both BA and Marriott due to business imperatives. Both have 28 days to appeal the ICO’s decision; both intend to defend their positions vigorously, and it is possible, though unlikely, that 16 weeks’ from the date of these published intentions, the parties will agree a still eye-watering but significantly reduced figure. Crucially, along with such information will come a monetary penalty notice (MPS), which will detail exactly what factors the ICO took into account on deciding the numbers.
A combination of preliminary rumblings from the ICO’s office and the wording of section 155(3) of the Data Protection Act 2018 suggest that these factors are likely to include:
- the huge number of individuals affected;
- the nature of the personal data and the gravity and duration of the failure to protect – in the case of Marriott, the actual breach dated back to 2014 and was announced on 30 November 2018;
- the size, turnover and prominence of these corporate behemoths – the French data protection regulator, the Commission Nationale de l'Informatique et des Libertés (CNIL), recently issued a much-publicised €50million fine against Google for lack of transparency and consent in terms of its privacy notices etc., and the ICO will be keen to abide by the same mantra; with great power comes great responsibility. These were not small businesses or charities; these were large businesses who should have taken care of people’s personal data.
- technical and organisational measures implemented – in the words of the ICO “The GDPR makes it clear that organisations must be accountable for the personal data they hold including carrying out proper due diligence when making a corporate acquisition” (Marriott bought Starwood hotels in 2016 and clearly failed to investigate the data hygiene of Starwood’s databases adequately);
- cybersecurity credentials – both BA and Marriott will seek to argue, perhaps quite legitimately, that the cyberattacks in question were ‘criminal’ and unusually sophisticated. However, the ICO has made it clear that its job is to examine what, if any, doors were left open to make these companies an easy target by hackers; for example, were both organisations compliant with Payment Card Industry (PCI) standards? The CVV codes on credit cards at British Airways were purportedly unencrypted;
- the long-term implications for people – examples include stolen IDs, fraudulent transactions and fear that data profiles would be traded as rich pickings on the dark web;
- how collaborative the organisations were with the ICO/what they did to minimise the impact of the breach;
- the intentional or negligent character of the breaches, including any relevant previous failures – the largest hotel chain in the world should have had adequate resource to conduct thorough legal due diligence to explore the ins and outs of its acquisition of Starwood hotels. This is not the first time that BA’s IT systems have failed it in one way or another; and;
- whether the penalty would be effective, proportionate and dissuasive – the ICO would have been deeply aware that fining Facebook £500,000 (for the Cambridge Analytica scandal, which led to the exploitation of personal data belonging to 87 million people; the highest possible penalty under the Data Protection Act 1998), though a damning indictment, was like a drop in the ocean when it came to deterrence. Arguably, matters could have been worse; the BA fine represents just 1.5% of annual global turnover, not the 4% it could have been.
It is likely that much will be submitted to the ICO by way of written representations on behalf of the parties in this crucial 28-day period. With some of the best legal minds in the world at work, it remains to be seen what, if any, difference it will make to the ICO’s deliberations. Amidst the maelstrom, a class action is potentially in the offing for BA in the UK, and several US states are investigating the Marriott breach. The one concrete takeaway we can all hold fast to in these uncertain times is that, whilst the penalties may be a lot more sizeable, the rules for how the game is played remain very much the same.
What can you do to ensure that the personal data that you hold is adequately protected?
- implement simple steps, have a lockable cabinet, a cybersecurity policy, update your systems and apps regularly, and backup everything;
- introduce encryption and stronger password protection for all laptops, USB devices and for sending and storing sensitive personal information such as safeguarding reports, bank details, HR records, care files and data relating to children;
- do not leave confidential paperwork or machines carrying sensitive information unattended, or out in the open;
- ensure that you pay careful attention to conducting due diligence into the privacy practices of potential merger and acquisition targets;
- do not keep personal data for any longer than necessary;
- ensure that any third-parties with whom you share information, including your processors, are not just data protection compliant but also compliant with any relevant industry standards;
- put breach-management protocols in place to ensure that breaches are discovered, reported, and dealt with promptly and well;
- train your staff regularly, audit your facilities every six months or annually to ensure uniformity of practice; and;
- don’t panic – remember that when issuing a penalty, the ICO will consider a host of factors, including those listed above. The real threat is not an ICO fine or even court action by aggrieved data subjects, but reputational damage that comes from public enforcement and the loss of user trust that inevitably follows.
For further information
If you would like to discuss any concerns that you have around the personal information that you process on behalf of your customers, service-users, pupils, congregations, tenants or staff, please get in touch with Eeshma Qazi.
In the first of a series, this article examines the impact of the Derby case on how local authorities should apply and charities can claim business rate relief.
“Monitoring the Mental Health Act in 2018/19” published by the CQC, has found that although improvements have been made, healthcare services need to do more to comply with their human rights duties.
The IPPR North report says that this Parliament must be the “Devolution Parliament” to truly “level up” the country.
On 20 January 2020, the Ministry of Housing, Communities and Local Government (MHCLG) issued Advice for Building Owners of Multi-storey, Multi-occupied Residential Buildings.
The Society for Computers and Law (SCL) has introduced an Adjudication Scheme for IT Projects and Services.
The board of a housing services company was reportedly dismissed in December 2019 following the discovery of a variety of safety and hygiene issues in the properties they manage.
The Heat Network (Metering and Billing) Regulations 2014 (the Regulations) place certain responsibilities on anyone supplying and charging for heating, cooling or hot water (the heat supplier).
In our latest Company Secretary Update, we focus on the Queen’s Speech over Christmas and the recommendations and commitments in relation to housing.
So after two days of legal argument, the Supreme Court have now retired to reach their decision in the joined cases of Tomlinson-Blake v the Royal Mencap Society and Shannon v Rampersad.
To receive invitations to our events, as well as information and articles on legal issues and sector developments that are of interest to you, please sign up to Newsroom.