On 16 October 2020, the Information Commissioner’s Office (ICO) issued British Airways with a £20 million fine for a data breach which took place in 2018. Whilst this is significantly lower than the £183 million fine initially announced by the ICO, it is still the largest fine it has issued to date.
Shortly after that, the ICO issued a fine of £18.4 million to Marriott International Inc. for a security breach involving the personal data of potentially millions of customers.
Background: fines under the GDPR
The EU General Data Protection Regulation (2016/679) (GDPR) introduced considerably higher fines compared to the previous data protection regime, under which the maximum fine issued by the ICO was £500,000.
Under the GDPR, the ICO has the power to issue fines for infringements of the GDPR of up to EUR 20 million (or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher) for the most serious breaches.
The British Airways data breach
British Airways suffered a cyber-attack in 2018 during which the personal data of over 400,000 individuals (both British Airways customers and staff) was potentially accessed. The personal data included names, addresses, payment card numbers and CVV numbers, as well as usernames and passwords. To make matters worse, British Airways was unaware of the attack until over two months later, and then only because a third party notified it of the attack.
The ICO found that British Airways failed to have adequate security measures in place, as required by the GDPR, which would have mitigated or prevented the risk of such an attack. Such measures included:
- limiting access to applications, data and tools to only that which are required to fulfil a user’s role;
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and
- protecting employee and third party accounts with multi-factor authentication (i.e. a process that requires users to complete a combination of two or more steps to authenticate their identity before granting them to access the relevant systems. The most common example is a requirement for users to input a password as well as a code that is sent to a mobile device.) The ICO’s penalty notice emphases the importance of multi-factor authentication, which the British Airways system did not use.
British Airways tried to argue that the attack was sophisticated but the ICO disagreed, given that readily-available security measures at the time (which were not prohibitively expensive) would have avoided the attack. The ICO found that British Airways was aware at the time of the attack that there were shortcomings in the security of its systems, but it failed to rectify them or justify why it did not have adequate measures in place.
When issuing its initial fine of £183 million, the ICO had considered British Airways’ annual turnover as a starting point for calculating fines. It later moved away from this approach and considered that, whilst turnover is a relevant consideration, a penalty of £30 million would be “an effective, proportionate and dissuasive fine” in the context of a controller of British Airways’ scale and turnover.
The ICO then took into account various aggravating factors, including the scale of the breach (i.e. the high number of records involved) and the fact that the breach may have caused some anxiety and distress to the affected individuals. It also considered the following mitigating factors, which ultimately resulted in a lower fine:
- British Airways had notified the ICO and affected individuals promptly once it become aware of the data breach;
- British Airways had co-operated fully with the ICO’s investigation;
- British Airways had offered to compensate individuals who had suffered financial loss as a result of the data breach;
- British Airways had improved its security measures since the attack; and
- the economic impact and affordability of the fine for British Airways (including the impact of Covid-19 on British Airways’ business).
The Marriott hotels data breach
On 30 October 2020, the ICO fined Marriott International Inc. (Marriott) £18.4 million for a data breach which took place in 2014, before the affected database was acquired by Marriott. Again, this was much lower than the £99 million fine announced in the ICO’s initial notice of intent to issue a fine in 2019.
In this case, a cyber-attacker installed code on a customer database which was at the time owned by Starwood Hotels and Resorts Worldwide Inc. (Starwood). This resulted in the attacker being able to access the records of a huge 339 million guests (as estimated by Marriott). However, the attack was not detected until over 4 years later, when Starwood became part of the Marriott hotels group.
Again, the ICO found that there was a failure to implement appropriate technical or organisational measures to protect the personal data.
The ICO considered representations from Marriott, including that it had acted quickly to mitigate the risk of damage suffered by customers, had improved the security of its systems and the economic impact of Covid-19 on its business before setting its final much-reduced penalty.
These fines could not have come at a worse time for British Airways and Marriott which are continuing to battle the effects of Covid-19 on the aviation and hospitality industries. But, were it not for the effects of the pandemic on their respective businesses, the fines could have been even higher. Of course, it is not just the amount of the fines that both British Airways and Marriott will be reeling from, but the negative publicity associated with them.
More and more organisations are entrusted with handling personal data and these fines serve as a warning that the ICO will take data breaches seriously. British Airways’ argument that the attack it suffered was sophisticated was given short-shrift by the ICO who stated that such attacks are increasingly commonplace and so organisations should be aware that they may be targeted (particularly larger organisations) and should be prepared for such attacks.
Steps organisations can take to avoid a personal data breach
The ICO stressed that the occurrence of a personal data breach does not of itself mean that an organisation has failed to take appropriate technical and organisational measures but to help demonstrate compliance with the GDPR you should:
- review your security measures and keep a written record of risk assessments;
- follow-up on such reviews and risk assessments by implementing recommendations for improved security measures;
- if you choose not to take any measures recommended, you should be able to justify why you reached that decision and should keep a written record of your decision;
- have a written data breach response plan in place so that you can act quickly in the event of a data breach and notify all relevant parties; and
- if you in the process of a corporate acquisition, ensure you carry out thorough due diligence on the target’s data protection compliance and measures.
It is worth noting that a key GDPR principle is that of ‘proportionality’: the GDPR does not require organisations to implement technical and organisational measures at any financial cost – they must be ‘appropriate’ measures which taken into account (amongst other things) the cost of implementation, the nature of the processing and the risks to individuals’ rights and freedoms.
Personal data breaches and Brexit
Following the end of the transition period on 31 December 2020, the GDPR will be incorporated into UK law and so the key data protection principles will remain the same, at least initially. This means that the same maximum fines that can be imposed under the GDPR (or their equivalent in sterling) will continue to apply.
The ICO will remain the UK’s supervisory body for data protection and is expected to take the same approach to enforcement.
Mili Khoda is a Senior Associate in our Corporate, Technology and Banking and Finance team
For further information or advice on the matters addressed in this Legal Update or any other related matters please contact:
18 November 2020
This Legal Update is published as a general guide only and it is not intended to contain definitive legal or professional advice, which should be obtained as appropriate in relation to any particular matter. This publication relates to matters prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.