IP Insight: Record Data Breach Fine for British Airways and Marriott
IP Insight is a series from Virtuoso Legal, the intellectual property specialists.
Last year saw the largest fine in recent years for breach of data protection legislation. The Information Commissioner’s Office (ICO) imposed a £500,000 levy against Facebook for its role in the Cambridge Analytica scandal (the one which saw Mark Zuckerberg dragged before Congress in the US). This fine was handed out under the Data Protection Act 1998, which had a maximum penalty amount of £500,000. This maximum amount has now risen since the introduction of GDPR in May 2018, to a far higher cap of 4% of the offending business’s annual turnover.
In the first decision made public since GDPR came into effect, the ICO announced this week that British Airways is facing a whopping £183.39 million fine following last summer’s hacking attack on their website.
Details of circa 500,000 customers were taken by hackers after customers were diverted to a fraudulent site which harvested their payment details, booking information, names and addresses.
ICO, in a damning statement said that the breach was due to ‘poor security arrangements at the company’.
In a statement to the BBC, the chief executive of BA said that the company was ‘surprised and disappointed’, and that they would ‘take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals’.
BA’s surprise arguable stems from the fact that that they cooperated fully with the ICO investigation and had found no evidence of fraud on any customer accounts which were accessed as a result of the hack. However, ICO (whose aim is to protect information rights) are less concerned with what hackers can do with the information that they access and more concerned with their ability to access it in the first place.
In a statement, Information Commissioner Elizabeth Denham said:
"People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” – Elizabeth Denham
Breaches of GDPR can incur fines of 4% of an infringing business’ annual turnover. So, whilst the £183 million may seem steep, it could have been much worse for BA, whose 4% annual turnover is more in the region of £500 million.
Marriott International Inc.
In the same week, ICO has announced another fine, this time of just over £99 million for international hotel chain, Marriot. Again, this related to a cyber attack by hackers, dating back to 2014. The difference in this case was that the attack originated outside of the Marriott group. The Starwood group of hotels had their customer information compromised, with circa 339 million guest records exposed, of which 30 million related to European residents, and 7 million related to UK residents.
The Starwood group was then acquired by Marriott in 2016. The ICO investigation found that Marriott hadn’t carried out sufficient due diligence when acquiring the Starwood group and that more should have been done to secure the systems and prevent the further compromise of customer data. In a statement, Information Commissioner Elizabeth Denham said:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.” - Elizabeth Denham
This case is a cautionary tale of the expensive consequences of failing to carry out proper due diligence when acquiring other businesses. A failure to adequately secure the personal data of customers held by the acquired business could result in negative consequences which come to light long after the acquisition has completed.
Whereas multi-million-pound corporation like BA and Marriott can arguably weather such a hefty fine and bounce back, the same may not be said for small and medium businesses. For smaller enterprises, the potential consequences of a GDPR breach could prove fatal, and it is worth bearing in mind that GDPR applies to all who handle customer data, not just the tech giants. It is well worth taking the time before any issues arise to ensure that your business is fully compliant and that all security measures which protect your customer data are sufficient.