The Information Commissioner’s Office (ICO) announced, on 9th July, its intention to fine Marriott International, a hotel chain, over £99m, following an investigation into a major data breach last year. This update occurs the same week that the ICO had issued a similar notice to fine British Airways (BA) over £183m in relation to a data breach, which are the ICO’s first investigations under the GDPR to produce monetary penalties.
Large fines and ‘delayed reactions’
In particular, the high value of the fines (in comparison to the ICO’s investigations over the previous few months) is due to the fact that data breaches that occurred after the GDPR entered into force (in May 2018) are being discovered or reported, meaning that the GDPR-level of fines can now be applied by regulators. In particular, in Marriott’s case, this involved a November 2018 revelation of a hack into collected by Starwood, a hotel chain it acquired in 2016, that exposed 339 million guest records. In BA’s case, the data breach related to a security vulnerability on BA’s booking website that involved 500,000 customers’ details being exfiltrated by cyber attackers, in June-September 2018. In both cases, large datasets including customers’ personal information and card details were affected, which were clearly targeted by financially-motivated criminals.
These breaches bring into sharp relief the fact that large stores of data, particularly those involving financial information, are likely to be particular targets for hackers. Both companies were slow to identify or detect the data breaches – with BA, for example, the loss of information through bookings was discovered two weeks after it occurred. Considering Marriott, the data breach was only uncovered in late 2018, despite the company being acquired in 2016, and the leak of the data actually beginning as early as 2014.
In particular, in addition to maintaining internal data security, Marriott’s data breach is a stark reminder to organisations that examining data protection governance should remain a core part of due diligence when acquiring a new organisation. In particular, organisations should check for evidence of data mapping activities (including insecure locations where it could be stored or collected from), records of previous security incidents or data breaches and action taken, and any third parties to whom data is provided as sources of potential reputational and compliance risks to the buyer. The absence of any such governance or self-assessment should represent an immediate red flag.
As both cases were high-profile data breaches that the ICO could not possibly ignore (both Marriott and BA took steps to notify their customers and investors of the loss of information), they do not tell us much about its upcoming enforcement strategy. However, they do signal that the ICO will not be reticent to apply penalties up to the 2% of global turnover permitted for security lapses and 4% for wider governance failures, under the GDPR. Nevertheless, both organisations still have the right to make representations which may reduce the fines, and the ICO’s final monetary penalty notice how the penalties were calculated.