The long awaited fines for British Airways (BA) and Marriott Hotels have finally come to light and are making the headlines again. Together with the penalty notice issued against Ticketmaster, all Data Controllers should take note of the fines levied and in particular the issues which the ICO took into account in determine whether to issue a fine. In this article, we take a look at the ICO’s decisions and some key takeaways going forward.
In 2018, BA made the headlines for being issued with a “notice of intent to fine” of £183m by the ICO for failing to protect the personal data of its customers when approximately 400,000 were subject to a cyber-attack. The ICO found BA had insufficient security measures in place (breaching Articles 5(1)(f) and 32 of the GDPR), which not only enabled the cyber-attack but resulted in BA’s failure to detect the attack for over two months. This would have been the largest fine awarded by a data protection regulator in Europe, so what led to the nearly 90% reduction to settle at a fine of £20m?
In the ICO’s penalty notice, the ICO has addressed the factors which were taken into account when reducing this fine, including:
- BA’s prompt notification to individuals affected by the breach (i.e. data subjects) and relevant supervisory authorities;
- BA’s offer to reimburse financial losses resulting from the breach;
- BA’s immediate response to the cyber-attack (on becoming aware of it) to take appropriate remedial action;
- the impact the breach has had on BA’s brand and reputation; and
- the economic impact of the COVID-19 pandemic.
Whilst it is helpful to understand the factors that might lead to a reduced fine, it is important for all Data Controllers to consider the type of security measures BA should have had in place when the cyber-attack occurred. These include:
- limiting access to applications, data and tools which are required to fulfil a user’s role;
- undertaking rigorous testing on their systems (such as simulating a cyber-attack);
- protecting employee and third party accounts with multi-factor authentication.
Not far off of the £20m figure, the ICO has also fined Marriott Hotels £18.4m for a cyber-attack that included an estimated 339 million guest records. Similarly to BA, Marriott did not become aware of this breach in a timely manner – the breach originally happened when the systems of Starwood hotels group were compromised in 2014, which was acquired by Marriott in 2016. The exposure of the breach did not come to light until 2018.
The ICO reduced this fine from £99m to £18.4m taking into account the steps Marriott took to mitigate the effects of the breach and the economic impact of COVID-19, a theme for both of these fines.
The ICO’s most recent fine was issued against Ticketmaster UK Limited (Ticketmaster) for failing to keep its customers' personal data secure. The breach occurred in 2018 after a cyber-attack on the website which potentially compromised the data of 9.4 million data subjects in the EEA, and 1.5 million in the UK alone. It is estimated that 60,000 payment card details were compromised.
The ICO held that Ticketmaster had failed to comply with its obligations under Article 5(1)(f) and Article 32 GDPR as it did with BA. The ICO determined there had been “multiple failures by Ticketmaster to put in place appropriate and technical measures” including a failure to protected against third party scripts on their payment page and a failure to implement a “layered approach to security”.
Ticketmaster were found to have been negligent in their compliance and the ICO had initially proposed a fine of £1.5 million which was reduced to £1.25 million in light of the impact of COVID-19. Ticketmaster have confirmed they will appeal.
Clearly, given the significant reductions in both the BA and Marriot fines, there is merit in contesting the ICO’s findings in these cases. Whilst the economic impact of COVID-19 may not be a factor in the future, it is clear that quick remedial action, prompt notification to data subjects and supervisory authorities, and a willingness to assist the ICO with their investigation are all factors which the ICO will view positively and take into account. All Data Controllers must put in place suitable security and technical measures and should consider how a layered approach can be adopted.
Ultimately, there seems to be a hesitancy to hand out the mega fines we all were expecting under the new GDPR regime, but given that all three fines were handed out to Data Controllers working in sectors hit hard by the pandemic, it will be interesting to see whether future appeals result in such significant reductions.
For more information please get in touch with one of our information law experts: