Intentions to fine BA and Marriott – a harbinger of what’s to come or a tempest in a rather large teacup?

On Monday 8 July, news broke of the staggering fine of more than £183million the Information Commissioner’s Office (ICO) intended to levy against British Airways (BA) as a result of a hack that took place last summer, compromising the personal data of 500,000 of the airline's customers.

Hot on its heels, another confidential intention to fine Marriott International (Marriott) hit the press for their belated discovery of a hacking incident dating back to 2014, affecting the personal data of 383 million hotel guests globally – at least 30 million of whom were resident in the European Economic Area (EEA). Both breaches concerned, amongst other information, payment card details and, in Marriott’s case, passport information.

Why it might have happened

Whilst there is widespread speculation about the noteworthy size of these proposed fines, the truth is that we have very little available in the public domain explaining the ICO’s rationale. The intention to serve a fine is generally confidential but was made public by both BA and Marriott due to business imperatives. Both have 28 days to appeal the ICO’s decision; both intend to defend their positions vigorously, and it is possible, though unlikely, that 16 weeks’ from the date of these published intentions, the parties will agree a still eye-watering but significantly reduced figure. Crucially, along with such information will come a monetary penalty notice (MPS), which will detail exactly what factors the ICO took into account on deciding the numbers.

A combination of preliminary rumblings from the ICO’s office and the wording of section 155(3) of the Data Protection Act 2018 suggest that these factors are likely to include:

the huge number of individuals affected;
the nature of the personal data and the gravity and duration of the failure to protect – in the case of Marriott, the actual breach dated back to 2014 and was announced on 30 November 2018;
the size, turnover and prominence of these corporate behemoths – the French data protection regulator, the Commission Nationale de l'Informatique et des Libertés (CNIL), recently issued a much-publicised €50million fine against Google for lack of transparency and consent in terms of its privacy notices etc., and the ICO will be keen to abide by the same mantra; with great power comes great responsibility. These were not small businesses or charities; these were large businesses who should have taken care of people’s personal data.
technical and organisational measures implemented – in the words of the ICO “The GDPR makes it clear that organisations must be accountable for the personal data they hold including carrying out proper due diligence when making a corporate acquisition” (Marriott bought Starwood hotels in 2016 and clearly failed to investigate the data hygiene of Starwood’s databases adequately);
cybersecurity credentials – both BA and Marriott will seek to argue, perhaps quite legitimately, that the cyberattacks in question were ‘criminal’ and unusually sophisticated. However, the ICO has made it clear that its job is to examine what, if any, doors were left open to make these companies an easy target by hackers; for example, were both organisations compliant with Payment Card Industry (PCI) standards? The CVV codes on credit cards at British Airways were purportedly unencrypted;
the long-term implications for people – examples include stolen IDs, fraudulent transactions and fear that data profiles would be traded as rich pickings on the dark web;
how collaborative the organisations were with the ICO/what they did to minimise the impact of the breach;
the intentional or negligent character of the breaches, including any relevant previous failures – the largest hotel chain in the world should have had adequate resource to conduct thorough legal due diligence to explore the ins and outs of its acquisition of Starwood hotels. This is not the first time that BA’s IT systems have failed it in one way or another; and;
whether the penalty would be effective, proportionate and dissuasive – the ICO would have been deeply aware that fining Facebook £500,000 (for the Cambridge Analytica scandal, which led to the exploitation of personal data belonging to 87 million people; the highest possible penalty under the Data Protection Act 1998), though a damning indictment, was like a drop in the ocean when it came to deterrence. Arguably, matters could have been worse; the BA fine represents just 1.5% of annual global turnover, not the 4% it could have been.

It is likely that much will be submitted to the ICO by way of written representations on behalf of the parties in this crucial 28-day period. With some of the best legal minds in the world at work, it remains to be seen what, if any, difference it will make to the ICO’s deliberations. Amidst the maelstrom, a class action is potentially in the offing for BA in the UK, and several US states are investigating the Marriott breach. The one concrete takeaway we can all hold fast to in these uncertain times is that, whilst the penalties may be a lot more sizeable, the rules for how the game is played remain very much the same.

What can you do to ensure that the personal data that you hold is adequately protected?

implement simple steps, have a lockable cabinet, a cybersecurity policy, update your systems and apps regularly, and backup everything;
introduce encryption and stronger password protection for all laptops, USB devices and for sending and storing sensitive personal information such as safeguarding reports, bank details, HR records, care files and data relating to children;
do not leave confidential paperwork or machines carrying sensitive information unattended, or out in the open;
ensure that you pay careful attention to conducting due diligence into the privacy practices of potential merger and acquisition targets;
do not keep personal data for any longer than necessary;
ensure that any third-parties with whom you share information, including your processors, are not just data protection compliant but also compliant with any relevant industry standards;
put breach-management protocols in place to ensure that breaches are discovered, reported, and dealt with promptly and well;
train your staff regularly, audit your facilities every six months or annually to ensure uniformity of practice; and;
don’t panic – remember that when issuing a penalty, the ICO will consider a host of factors, including those listed above. The real threat is not an ICO fine or even court action by aggrieved data subjects, but reputational damage that comes from public enforcement and the loss of user trust that inevitably follows.

For further information

If you would like to discuss any concerns that you have around the personal information that you process on behalf of your customers, service-users, pupils, congregations, tenants or staff, please get in touch with Eeshma Qazi.

Latest news and ebriefings

Joint ventures partnership roundtable Tuesday 13 August 2019

We hosted a breakfast roundtable with Insider Midlands magazine that had attendees from a range of organisations addressing housing needs in the Midlands. The discussion explored JVs in more detail.

“Holiday, celebrate”…but not if you employ term-time-only employees or use zero-hours contracts Friday 9 August 2019

The decision of the Court of Appeal in The Harpur Trust v Brazel & Unison has made clear that employers can no longer legally calculate part-time holiday based on 12.07% of hours worked over a year.

Landlords, possession proceedings and the Equality Act Thursday 8 August 2019

Social landlords are seeing a rising number of Equality Act defences to possession proceedings. A recent Court of Appeal decision helps shift the likelihood of such defences succeeding.

'Building a safer future' consultation response Tuesday 6 August 2019

On 31 July, the consultation period ended on MHCLG’s proposals for reforming the building safety regulatory system set out in the 'Building a Safer Future' document. We have submitted our response.

Insourcing for local authorities Monday 5 August 2019

For decades now, fewer and fewer services provided by local authorities have been delivered directly by them. However, over the last couple of years, there are signs that this tide is changing.

Modern slavery – looking out for shackles in the supply chain Friday 2 August 2019

The Government commissioned an independent review of the Modern Slavery Act 2015 in July 2018. The outcome was published in May 2019 which highlighted areas for improvement.

Charity Tax Commission report: reforming charity taxation Thursday 1 August 2019

In 2017, the NCVO commissioned a review of the tax reliefs available to charities. The brainchild of this review was published on 17 July 2019 in the form of the Charity Tax Commission report.

The Charity Commission: updated guidance for reporting a serious incident Wednesday 31 July 2019

In 2014, the Charity Commission released its first guidance for charities on reporting serious incidents. The Commission has recently updated this guidance.

Contract management pitfalls – part 3 Monday 29 July 2019

In the third part of our series on contract management pitfalls, we look at the risks and opportunities presented by instructing changes under construction contracts.

Company secretary update – July 2019 Thursday 25 July 2019

Our spotlight piece considers the role of a Senior Independent Director and sector best practice. We also explore recent developments in case law, regulatory and data protection updates, and more.