Take-aways from the UK October GDPR fines
In October, the UK Information Commissioner’s Office (ICO) finally decided the level of the two most discussed announced GDPR fines in 2019.
The Marriott case
The hotel chain Marriott International, Inc. (Marriott) was fined £18.4 million for violations of the GDPR, a significant decrease from the announced £99 million fine. Marriott has indicated that the fine will not be appealed.
The breach stemmed from a cyberattack on Starwood Hotels in 2014 and affected approximately 339 million guest records globally that had their information stolen. The stolen data included names, email addresses, phone numbers, passport numbers, arrival/departure information and loyalty program information.
Marriott bought Starwood in 2016 and the breach was detected in September 2018. Marriott filed a breach notification, and the ICO found that Marriott had failed to put appropriate technical and organizational measures in place to secure the personal data.
It seems Marriott tried to argue before the ICO that the degree of sophistication of the attack should have been taken into account in determining what appropriate enforcement action to take and the size of the fine, but this was not approved by the ICO that stated:
“What the [a]ttack disclosed was the failure by Marriott to put in place appropriate security measures to address attacks of this kind and/or other identifiable risks to the system.”
For many, it is also important to note that the ICO did not agree with Marriott when they stated that a controller must be to be reasonably certain that a personal data breach has occurred, in order to notify the data protection authorities. Breaches shall be notified, and the threshold is fairly low.
Regarding the actual notification Marriot undertook, the ICO pointed at several shortcomings in Marriott’s notifications to the individuals, notably that the phone number was wrong for the dedicated call centre they could contact.
The calculation of the fine was done on basis of the five-step process set out in the UK Regulatory Action Policy. They put weight on that Marriott did not gain financially from the breach and on that the nature of Marriott’s failures were of significant concern, because the ICO found that there were multiple measures Marriott could have undertaken to detect the attack earlier, and a very large number of individuals were affected. Further, the distress to individuals was given weight, hereunder the cancellation of payment cards was found relevant, as well as the approximately 57,000 calls to the call center set up to handle the breach. Marriott was found to have acted negligently in failing to properly maintain the ICT-systems, and special weight was put on Marriott’s size and the probability that someone would try to hack their systems.
However, the fine was reduced substantially. The ICO found the mitigating steps Marriott took, relevant. This included, among many actions, password resets, disabling compromised accounts, and implementing better detection tools. Also, the economic consequences of Covid-19 on Marriott, were relevant.
After the arguments made by Marriott in response to the announced fine in 2019, the ICO decided on a fine of £28 million. Further, mitigating factors resulted in a reduction of the fine to £22.4 million, and the impact of COVID-19 further reduced the fine to £18.4 million.
The British Airways case
On 16 October, the ICO confirmed that it had fined British Airways (BA) of £20m for infringing the GDPR. It is the highest fine in the UK. We do not know if this will be appealed by BA.
The breach stemmed from a hacker obtaining access to the BA internal network in 2018, by compromised credentials obtained from a third party vendor of source code on a BA website. Personal data, names, addresses and credit card information, of approximately 400,000 of its customers were stolen.
Much like in the Marriott case, after hearing the arguments and descriptions of BA, the suggested fine of £183m was significantly reduced. In this case too, also due to Covid-19. The ICO changed the basis for calculating the fine. Instead of calculating it on basis of an unpublished draft procedure, it had to be calculated on the basis if the UK Regulatory Action Policy.
There are, however, some important measures that are relevant to all companies also outside the UK, seeking a proper level of GDPR compliance from these two cases.
Your company – or the company that you are acquiring - may be held responsible for damage done by the activity of organised hackers and criminals. The ICO emphasised that the reason for sanctioning BA was not that a personal data breach actually occurred, but that BA had not taken appropriate technical and organisational security measures to protect their customer's data. This is the same in the Marriott case.
This of course means that legal and compliance teams need to work with information security teams. In interpreting the Article 32 requirements, the ICO made extensive references to industry standards and technical guidance issued by various third parties when evaluating the failures BA was responsible for.
Further, the ICO stated that the obligation to take appropriate technical and organisational measures, does not only apply to systems processing personal data, but also to parts of their network that could result in a leak of personal data. One must accordingly have a certain level of logging, have a realistic view of supply chain risks and – of course – deploy multi-factor authentication for remote access to an internal network.
From both cases, we see that the steps taken after a breach may lower a fine. It is important to notify promptly the data subjects and the data protection authorities. In an international context, it may be challenging to decide what authorities shall be notified, so large international groups should give this some attention before a breach occurs. Full cooperation with the authorities after the breach is highly recommendable, and so is the offer to reimburse customers who have suffered financial loss. And do try to help the data subjects – in Norway, for instance, it is wise to tell the individuals that they may stop some identity theft consequences by ensuring that no credit checks may be undertaken on the that individual, thereby blocking for loans or credit purchases.
The above measures are also relevant questions to address when assessing the value of companies in most any acquisition. When acquiring a company, you need to see that risk assessments are actually done and that the target have a breach register. (No company have zero breaches.) It does not ensure basic GDPR compliance in a company by just checking that they have signed data processing agreements in place. The higher the number of customers or employees, and the more sensitive data involved, the more important this is.