We hosted a breakfast roundtable with Insider Midlands magazine that had attendees from a range of organisations addressing housing needs in the Midlands. The discussion explored JVs in more detail.
On Monday 8 July, news broke of the staggering fine of more than £183million the Information Commissioner’s Office (ICO) intended to levy against British Airways (BA) as a result of a hack that took place last summer, compromising the personal data of 500,000 of the airline's customers.
Hot on its heels, another confidential intention to fine Marriott International (Marriott) hit the press for their belated discovery of a hacking incident dating back to 2014, affecting the personal data of 383 million hotel guests globally – at least 30 million of whom were resident in the European Economic Area (EEA). Both breaches concerned, amongst other information, payment card details and, in Marriott’s case, passport information.
Why it might have happened
Whilst there is widespread speculation about the noteworthy size of these proposed fines, the truth is that we have very little available in the public domain explaining the ICO’s rationale. The intention to serve a fine is generally confidential but was made public by both BA and Marriott due to business imperatives. Both have 28 days to appeal the ICO’s decision; both intend to defend their positions vigorously, and it is possible, though unlikely, that 16 weeks’ from the date of these published intentions, the parties will agree a still eye-watering but significantly reduced figure. Crucially, along with such information will come a monetary penalty notice (MPS), which will detail exactly what factors the ICO took into account on deciding the numbers.
A combination of preliminary rumblings from the ICO’s office and the wording of section 155(3) of the Data Protection Act 2018 suggest that these factors are likely to include:
- the huge number of individuals affected;
- the nature of the personal data and the gravity and duration of the failure to protect – in the case of Marriott, the actual breach dated back to 2014 and was announced on 30 November 2018;
- the size, turnover and prominence of these corporate behemoths – the French data protection regulator, the Commission Nationale de l'Informatique et des Libertés (CNIL), recently issued a much-publicised €50million fine against Google for lack of transparency and consent in terms of its privacy notices etc., and the ICO will be keen to abide by the same mantra; with great power comes great responsibility. These were not small businesses or charities; these were large businesses who should have taken care of people’s personal data.
- technical and organisational measures implemented – in the words of the ICO “The GDPR makes it clear that organisations must be accountable for the personal data they hold including carrying out proper due diligence when making a corporate acquisition” (Marriott bought Starwood hotels in 2016 and clearly failed to investigate the data hygiene of Starwood’s databases adequately);
- cybersecurity credentials – both BA and Marriott will seek to argue, perhaps quite legitimately, that the cyberattacks in question were ‘criminal’ and unusually sophisticated. However, the ICO has made it clear that its job is to examine what, if any, doors were left open to make these companies an easy target by hackers; for example, were both organisations compliant with Payment Card Industry (PCI) standards? The CVV codes on credit cards at British Airways were purportedly unencrypted;
- the long-term implications for people – examples include stolen IDs, fraudulent transactions and fear that data profiles would be traded as rich pickings on the dark web;
- how collaborative the organisations were with the ICO/what they did to minimise the impact of the breach;
- the intentional or negligent character of the breaches, including any relevant previous failures – the largest hotel chain in the world should have had adequate resource to conduct thorough legal due diligence to explore the ins and outs of its acquisition of Starwood hotels. This is not the first time that BA’s IT systems have failed it in one way or another; and;
- whether the penalty would be effective, proportionate and dissuasive – the ICO would have been deeply aware that fining Facebook £500,000 (for the Cambridge Analytica scandal, which led to the exploitation of personal data belonging to 87 million people; the highest possible penalty under the Data Protection Act 1998), though a damning indictment, was like a drop in the ocean when it came to deterrence. Arguably, matters could have been worse; the BA fine represents just 1.5% of annual global turnover, not the 4% it could have been.
It is likely that much will be submitted to the ICO by way of written representations on behalf of the parties in this crucial 28-day period. With some of the best legal minds in the world at work, it remains to be seen what, if any, difference it will make to the ICO’s deliberations. Amidst the maelstrom, a class action is potentially in the offing for BA in the UK, and several US states are investigating the Marriott breach. The one concrete takeaway we can all hold fast to in these uncertain times is that, whilst the penalties may be a lot more sizeable, the rules for how the game is played remain very much the same.
What can you do to ensure that the personal data that you hold is adequately protected?
- implement simple steps, have a lockable cabinet, a cybersecurity policy, update your systems and apps regularly, and backup everything;
- introduce encryption and stronger password protection for all laptops, USB devices and for sending and storing sensitive personal information such as safeguarding reports, bank details, HR records, care files and data relating to children;
- do not leave confidential paperwork or machines carrying sensitive information unattended, or out in the open;
- ensure that you pay careful attention to conducting due diligence into the privacy practices of potential merger and acquisition targets;
- do not keep personal data for any longer than necessary;
- ensure that any third-parties with whom you share information, including your processors, are not just data protection compliant but also compliant with any relevant industry standards;
- put breach-management protocols in place to ensure that breaches are discovered, reported, and dealt with promptly and well;
- train your staff regularly, audit your facilities every six months or annually to ensure uniformity of practice; and;
- don’t panic – remember that when issuing a penalty, the ICO will consider a host of factors, including those listed above. The real threat is not an ICO fine or even court action by aggrieved data subjects, but reputational damage that comes from public enforcement and the loss of user trust that inevitably follows.
For further information
If you would like to discuss any concerns that you have around the personal information that you process on behalf of your customers, service-users, pupils, congregations, tenants or staff, please get in touch with Eeshma Qazi.
The decision of the Court of Appeal in The Harpur Trust v Brazel & Unison has made clear that employers can no longer legally calculate part-time holiday based on 12.07% of hours worked over a year.
Social landlords are seeing a rising number of Equality Act defences to possession proceedings. A recent Court of Appeal decision helps shift the likelihood of such defences succeeding.
On 31 July, the consultation period ended on MHCLG’s proposals for reforming the building safety regulatory system set out in the 'Building a Safer Future' document. We have submitted our response.
For decades now, fewer and fewer services provided by local authorities have been delivered directly by them. However, over the last couple of years, there are signs that this tide is changing.
The Government commissioned an independent review of the Modern Slavery Act 2015 in July 2018. The outcome was published in May 2019 which highlighted areas for improvement.
In 2017, the NCVO commissioned a review of the tax reliefs available to charities. The brainchild of this review was published on 17 July 2019 in the form of the Charity Tax Commission report.
In 2014, the Charity Commission released its first guidance for charities on reporting serious incidents. The Commission has recently updated this guidance.
In the third part of our series on contract management pitfalls, we look at the risks and opportunities presented by instructing changes under construction contracts.
Our spotlight piece considers the role of a Senior Independent Director and sector best practice. We also explore recent developments in case law, regulatory and data protection updates, and more.
To receive invitations to our events, as well as information and articles on legal issues and sector developments that are of interest to you, please sign up to Newsroom.