Intentions to fine BA and Marriott – a harbinger of what’s to come or a tempest in a rather large teacup?

On Monday 8 July, news broke of the staggering fine of more than £183million the Information Commissioner’s Office (ICO) intended to levy against British Airways (BA) as a result of a hack that took place last summer, compromising the personal data of 500,000 of the airline's customers.

Hot on its heels, another confidential intention to fine Marriott International (Marriott) hit the press for their belated discovery of a hacking incident dating back to 2014, affecting the personal data of 383 million hotel guests globally – at least 30 million of whom were resident in the European Economic Area (EEA). Both breaches concerned, amongst other information, payment card details and, in Marriott’s case, passport information.

Why it might have happened

Whilst there is widespread speculation about the noteworthy size of these proposed fines, the truth is that we have very little available in the public domain explaining the ICO’s rationale. The intention to serve a fine is generally confidential but was made public by both BA and Marriott due to business imperatives. Both have 28 days to appeal the ICO’s decision; both intend to defend their positions vigorously, and it is possible, though unlikely, that 16 weeks’ from the date of these published intentions, the parties will agree a still eye-watering but significantly reduced figure. Crucially, along with such information will come a monetary penalty notice (MPS), which will detail exactly what factors the ICO took into account on deciding the numbers.

A combination of preliminary rumblings from the ICO’s office and the wording of section 155(3) of the Data Protection Act 2018 suggest that these factors are likely to include:

• the huge number of individuals affected;
• the nature of the personal data and the gravity and duration of the failure to protect – in the case of Marriott, the actual breach dated back to 2014 and was announced on 30 November 2018;
• the size, turnover and prominence of these corporate behemoths – the French data protection regulator, the Commission Nationale de l'Informatique et des Libertés (CNIL), recently issued a much-publicised €50million fine against Google for lack of transparency and consent in terms of its privacy notices etc., and the ICO will be keen to abide by the same mantra; with great power comes great responsibility. These were not small businesses or charities; these were large businesses who should have taken care of people’s personal data.
• technical and organisational measures implemented – in the words of the ICO “The GDPR makes it clear that organisations must be accountable for the personal data they hold including carrying out proper due diligence when making a corporate acquisition” (Marriott bought Starwood hotels in 2016 and clearly failed to investigate the data hygiene of Starwood’s databases adequately);
• cybersecurity credentials – both BA and Marriott will seek to argue, perhaps quite legitimately, that the cyberattacks in question were ‘criminal’ and unusually sophisticated. However, the ICO has made it clear that its job is to examine what, if any, doors were left open to make these companies an easy target by hackers; for example, were both organisations compliant with Payment Card Industry (PCI) standards? The CVV codes on credit cards at British Airways were purportedly unencrypted;
• the long-term implications for people – examples include stolen IDs, fraudulent transactions and fear that data profiles would be traded as rich pickings on the dark web;
• how collaborative the organisations were with the ICO/what they did to minimise the impact of the breach;
• the intentional or negligent character of the breaches, including any relevant previous failures – the largest hotel chain in the world should have had adequate resource to conduct thorough legal due diligence to explore the ins and outs of its acquisition of Starwood hotels. This is not the first time that BA’s IT systems have failed it in one way or another; and;
• whether the penalty would be effective, proportionate and dissuasive – the ICO would have been deeply aware that fining Facebook £500,000 (for the Cambridge Analytica scandal, which led to the exploitation of personal data belonging to 87 million people; the highest possible penalty under the Data Protection Act 1998), though a damning indictment, was like a drop in the ocean when it came to deterrence. Arguably, matters could have been worse; the BA fine represents just 1.5% of annual global turnover, not the 4% it could have been.
  
  

It is likely that much will be submitted to the ICO by way of written representations on behalf of the parties in this crucial 28-day period. With some of the best legal minds in the world at work, it remains to be seen what, if any, difference it will make to the ICO’s deliberations. Amidst the maelstrom, a class action is potentially in the offing for BA in the UK, and several US states are investigating the Marriott breach. The one concrete takeaway we can all hold fast to in these uncertain times is that, whilst the penalties may be a lot more sizeable, the rules for how the game is played remain very much the same.

What can you do to ensure that the personal data that you hold is adequately protected?

• implement simple steps, have a lockable cabinet, a cybersecurity policy, update your systems and apps regularly, and backup everything;
• introduce encryption and stronger password protection for all laptops, USB devices and for sending and storing sensitive personal information such as safeguarding reports, bank details, HR records, care files and data relating to children;
• do not leave confidential paperwork or machines carrying sensitive information unattended, or out in the open;
• ensure that you pay careful attention to conducting due diligence into the privacy practices of potential merger and acquisition targets;
• do not keep personal data for any longer than necessary;
• ensure that any third-parties with whom you share information, including your processors, are not just data protection compliant but also compliant with any relevant industry standards;
• put breach-management protocols in place to ensure that breaches are discovered, reported, and dealt with promptly and well;
• train your staff regularly, audit your facilities every six months or annually to ensure uniformity of practice; and;
• don’t panic – remember that when issuing a penalty, the ICO will consider a host of factors, including those listed above. The real threat is not an ICO fine or even court action by aggrieved data subjects, but reputational damage that comes from public enforcement and the loss of user trust that inevitably follows.
  
  

For further information

If you would like to discuss any concerns that you have around the personal information that you process on behalf of your customers, service-users, pupils, congregations, tenants or staff, please get in touch with Eeshma Qazi.