Why BA and Marriott were hit with massive GDPR fines - and how you can avoid one

Coffin Mew's Guy Cartwright explains why BA and Marriott have hit with big GDPR fines - and what you can do to minimise yours if the worst comes to the worst

This week, the Information Commissioner's Office (ICO) announced its intention to fine British Airways more than £183 million and Marriott International over £99 million for separate breaches of the General Data Protection Regulation (GDPR).

The size of the potential fines may not come as a particular surprise: the ICO has been waiting since it finally came into force in May to flex its new and improved enforcement muscles under the GDPR.

Still, two large potential fines in one week, both against global organisations, shows that the ICO is ramping up its enforcement arm. It also sends a strong message to other organisations that the ICO means business.

It's all about security

The BA fine relates to a cyber security incident in which customers' payment and personal details were scraped from the company's check-out pages as they purchased flights, hotel rooms and hire cars between June and September last year.

In total, the personal data of approximately 500,000 customers was involved in the incident, together with passport and credit card details. BA reported the incident last September and notified customers within the 72 hour time-frame required by the GDPR.

However, despite BA taking these proactive steps, the ICO has found ‘poor security arrangements' led to the personal data being compromised and, consequently, issued a notice to fine BA 1.5 per cent of turnover, equating to £183 million.

Marriott's potential fine relates to another cyber incident in which 339 million guest records globally were exposed, including those of seven million UK residents. Marriott notified the ICO in November 2018.

What is interesting in Marriott's case is that the vulnerability began at Starwood Hotels and Resorts Worldwide, which Marriott then went on to acquire, with the company admitting that the compromise went as far back as 2014. The ICO investigation found that Marriott did not undertake adequate due diligence when it bought Starwood and failed to ensure that Starwood's IT systems were secure. The possible outcome: just short of a £100million fine. Buyer beware.

It is notable in both cases that neither BA nor Marriott were involved in any active wrongdoing. They did not flagrantly breach the rules. Instead, both instances involved nefarious third parties that took advantage of substandard security arrangements.

"What is substandard?" You may well ask.

The GDPR requires organisations that process personal data to put in place technical and organisational measures appropriate to the risk. Although the ICO has not yet issued the full report on either investigation, it's clear that failing to implement appropriate technical and organisation measures is why the fines are so high.

What is "appropriate" to the risk will depend on the type and volume of personal data being processed and consideration of the harm that could ensue if the data was compromised. For example, a bank has a large amount of high risk data, with great risk if it is compromised, whereas a free mobile game app may have limited and low risk personal data on its customers, so a breach will have a smaller impact.

It's big, but it could have been worse

The ICO has set a high bar in these cases, but they could have set it even higher. The ICO can seek a fine of up to 4% of a company's global annual revenue for a breach of the GDPR whereas the BA fine represents about 1.5% of BA's 2017 turnover.

However, it is a significant increase when compared to the maximum fine of up to £500,000 the ICO could previously levy under the UK's past data protection regime, the Data Protection Act 1998. And it is certainly enough of a fine for shareholders and investors to take note, particularly when coupled with the considerable reputational damage data breaches can cause, something which is always difficult to quantify. It also leaves the door wide-open for US style class action lawsuits because any person who has suffered "material or non-material damage" has the right to receive compensation under the GDPR.

What happens next?

This isn't the end of either investigation yet. Both organisations have announced that they will appeal and "vigorously" defend their positions; and both will provide interesting test cases.

These two potential fines aside, there will be other high-profile penalties. Google and Facebook have long been on the ICO's radar and a large fine issued by the ICO against a major tech-giant seems only a matter of time.

Some top tips for businesses:

• Breach identification and reporting: Have a breach procedure in place that covers the whole of the organisation. Data held in one jurisdiction can trigger breach reporting in another. Undertake ‘dry runs' so that everyone knows what they need to do in the event of a breach;
• Due diligence: Carry out thorough due diligence on suppliers, as well as any new business prior to an acquisition. Data protection has increasingly become one of the most important issues in company acquisition as the Marriott fine amply illustrates;
• Insurance: Review insurance policies and check what you are covered for. New and emerging risks, like cyber attacks, are not always covered in traditional policies and may be explicitly excluded;
• Training: Ensure staff are appropriately trained to recognise and escalate data breaches in line with policy;
• IT infrastructure: Invest in IT infrastructure and ensure that the security measures are commensurate with the risk by undertaking risk assessments and privacy impact assessments; and,
• Ensure accountability: Appoint a data protection officer or, if this is not required, at least someone responsible for data protection across the business. The ICO has recently warned that organisations must shift their focus to accountability.

Guy Cartwright is an associate in the Commercial group and member of the technology sector team at law firm Coffin Mew