The monthly round-up from the Anthony Collins Solicitors charities team.
On Monday 8 July, news broke of the staggering fine of more than £183million the Information Commissioner’s Office (ICO) intended to levy against British Airways (BA) as a result of a hack that took place last summer, compromising the personal data of 500,000 of the airline's customers.
Hot on its heels, another confidential intention to fine Marriott International (Marriott) hit the press for their belated discovery of a hacking incident dating back to 2014, affecting the personal data of 383 million hotel guests globally – at least 30 million of whom were resident in the European Economic Area (EEA). Both breaches concerned, amongst other information, payment card details and, in Marriott’s case, passport information.
Why it might have happened
Whilst there is widespread speculation about the noteworthy size of these proposed fines, the truth is that we have very little available in the public domain explaining the ICO’s rationale. The intention to serve a fine is generally confidential but was made public by both BA and Marriott due to business imperatives. Both have 28 days to appeal the ICO’s decision; both intend to defend their positions vigorously, and it is possible, though unlikely, that 16 weeks’ from the date of these published intentions, the parties will agree a still eye-watering but significantly reduced figure. Crucially, along with such information will come a monetary penalty notice (MPS), which will detail exactly what factors the ICO took into account on deciding the numbers.
A combination of preliminary rumblings from the ICO’s office and the wording of section 155(3) of the Data Protection Act 2018 suggest that these factors are likely to include:
- the huge number of individuals affected;
- the nature of the personal data and the gravity and duration of the failure to protect – in the case of Marriott, the actual breach dated back to 2014 and was announced on 30 November 2018;
- the size, turnover and prominence of these corporate behemoths – the French data protection regulator, the Commission Nationale de l'Informatique et des Libertés (CNIL), recently issued a much-publicised €50million fine against Google for lack of transparency and consent in terms of its privacy notices etc., and the ICO will be keen to abide by the same mantra; with great power comes great responsibility. These were not small businesses or charities; these were large businesses who should have taken care of people’s personal data.
- technical and organisational measures implemented – in the words of the ICO “The GDPR makes it clear that organisations must be accountable for the personal data they hold including carrying out proper due diligence when making a corporate acquisition” (Marriott bought Starwood hotels in 2016 and clearly failed to investigate the data hygiene of Starwood’s databases adequately);
- cybersecurity credentials – both BA and Marriott will seek to argue, perhaps quite legitimately, that the cyberattacks in question were ‘criminal’ and unusually sophisticated. However, the ICO has made it clear that its job is to examine what, if any, doors were left open to make these companies an easy target by hackers; for example, were both organisations compliant with Payment Card Industry (PCI) standards? The CVV codes on credit cards at British Airways were purportedly unencrypted;
- the long-term implications for people – examples include stolen IDs, fraudulent transactions and fear that data profiles would be traded as rich pickings on the dark web;
- how collaborative the organisations were with the ICO/what they did to minimise the impact of the breach;
- the intentional or negligent character of the breaches, including any relevant previous failures – the largest hotel chain in the world should have had adequate resource to conduct thorough legal due diligence to explore the ins and outs of its acquisition of Starwood hotels. This is not the first time that BA’s IT systems have failed it in one way or another; and;
- whether the penalty would be effective, proportionate and dissuasive – the ICO would have been deeply aware that fining Facebook £500,000 (for the Cambridge Analytica scandal, which led to the exploitation of personal data belonging to 87 million people; the highest possible penalty under the Data Protection Act 1998), though a damning indictment, was like a drop in the ocean when it came to deterrence. Arguably, matters could have been worse; the BA fine represents just 1.5% of annual global turnover, not the 4% it could have been.
It is likely that much will be submitted to the ICO by way of written representations on behalf of the parties in this crucial 28-day period. With some of the best legal minds in the world at work, it remains to be seen what, if any, difference it will make to the ICO’s deliberations. Amidst the maelstrom, a class action is potentially in the offing for BA in the UK, and several US states are investigating the Marriott breach. The one concrete takeaway we can all hold fast to in these uncertain times is that, whilst the penalties may be a lot more sizeable, the rules for how the game is played remain very much the same.
What can you do to ensure that the personal data that you hold is adequately protected?
- implement simple steps, have a lockable cabinet, a cybersecurity policy, update your systems and apps regularly, and backup everything;
- introduce encryption and stronger password protection for all laptops, USB devices and for sending and storing sensitive personal information such as safeguarding reports, bank details, HR records, care files and data relating to children;
- do not leave confidential paperwork or machines carrying sensitive information unattended, or out in the open;
- ensure that you pay careful attention to conducting due diligence into the privacy practices of potential merger and acquisition targets;
- do not keep personal data for any longer than necessary;
- ensure that any third-parties with whom you share information, including your processors, are not just data protection compliant but also compliant with any relevant industry standards;
- put breach-management protocols in place to ensure that breaches are discovered, reported, and dealt with promptly and well;
- train your staff regularly, audit your facilities every six months or annually to ensure uniformity of practice; and;
- don’t panic – remember that when issuing a penalty, the ICO will consider a host of factors, including those listed above. The real threat is not an ICO fine or even court action by aggrieved data subjects, but reputational damage that comes from public enforcement and the loss of user trust that inevitably follows.
For further information
If you would like to discuss any concerns that you have around the personal information that you process on behalf of your customers, service-users, pupils, congregations, tenants or staff, please get in touch with Eeshma Qazi.
In this ebriefing, we identify what we see as the key messages arising from recent prosecutions in the care and housing sectors.
A recent High Court case on costs could prove essential reading for clients who have cases in the magistrates' courts.
The employment and pensions team offer practical advice on whistleblowing.
Partners, David Alcock and Sarah Patrice, have been involved in reviewing the new Code of Governance for community-led housing, published on 21 May 2021 by the Confederation for Coop Housing.
Following the eviction ban being lifted on 31 May 2021 and further to our previous ebriefing, the new notice of seeking possession forms are now available on the Government website as Word versions.
The European Court of Justice's standpoint on the Wiener Wohnen landowning developer case, and how the level of influence over the work did not amount to a decisive influence.
The Law Commission's Technical Issues in Charity Law report revealed that many charities struggle with a range of technical issue in the law.
The Law Commission recommended four key changes to the law in respect of mergers and the incorporation of charities which we have detailed in this ebriefing.
Over the last few weeks, we have published individual ebriefings on some of the key changes to be implemented following the Government’s response to the Law Commission’s report.
To receive invitations to our events, as well as information and articles on legal issues and sector developments that are of interest to you, please sign up to Newsroom.