The UK Information Commissioner’s Office has formally issued penalty notices fining Marriott International Inc. and British Airways plc for breaches of the GDPR.
The circumstances of each case were quite different:
- in 2016 Marriott acquired another hotel chain (Starwood Hotels and Resorts Worldwide Inc.) who had unknowingly been victim of an ongoing cyber-attack since 2014. The attacker was able to extract data of an estimated 39 million customers, including personal and travel details and unencrypted passport numbers. The attack was only detected in September 2018 after the entry in effect of the GDPR.
- BA was also victim of an outside attack which through a remote access gateway was able to use a supplier’s credentials to access BA’s wider network and divert data to a new website operated by the attacker, starting in June 2018. Cardholder data (in some cases including CVV numbers) was stored and exposed due to a testing feature left in place since 2015, among other personal data of around 429,000 customers and staff. BA was not aware of the attack until informed by a third party in September 2018.
Note that the fines were not imposed in respect of the data breaches themselves, but for failures to have in place appropriate technical and organisational measures to protect personal data processed – as evidenced by the breaches.
How high are the fines?
They are high – GBP 18.4 million for Marriott and GBP 20 million for BA. But they are also way lower than the ICO’s initial proposals (the much-harder-to-explain-to-shareholders GBP 99,200,396 for Marriott and the even-more-eye-watering GBP 183.39 million for BA). The parties’ legal teams will take some credit for beating the amounts down (and from the decisions it seems neither of them held back from making all possible credible and some more imaginative arguments). However, the ICO’s initial calculation methodologies (from a Draft Internal Procedure using worldwide turnover as a central element) appear to have undergone some serious reconsideration (possibly with input from EU supervisory authorities with whom the fines had to be coordinated).
The “real” fines were GBP 28 milion for Marriott and GBP 30 million for BA but in each case reductions were made of 20% for full cooperation with the investigation; and then an additional reduction of GBP 4 million each for current economic factors including the effects on each organisation of the COVID-19 pandemic and shutdown.
What have we learned?
1. IT people need to read these decisions
They reveal the way that ICO approaches the data security requirements of the GDPR. The ICO does a fair job of trying not to judge with the benefit of hindsight but is quite demanding when it comes to what was available, cost effective, and reasonable for businesses to have implemented at the material time. It relies on a lot of publicly available research including from public domain studies, and of course ICO’s own guidance.
Takeaway: These decisions give us a worthwhile recent checklist of source materials that the ICO expects us to take into account (e.g. NCSC and NIST guidance). We also need to avoid hindsight – if we later claim that a particular measure was impractical or not cost-effective then we had better be able to show with documents from the time that we actually considered them and the alternatives.
2. You own your third parties’ mistakes
It’s not clear exactly how Swissport credentials came to be used by BA’s attacker and there appears to be a fairly long chain of hacking moves that led to the accessing of personal data within BA systems. However, inevitably, the ICO looks at the vulnerabilities which enabled this to happen.
Takeaway: We don’t know exactly whether Swissport was at fault in any way in facilitating the breach (and the ICO decision is heavily redacted to conceal some of the key techniques and events). The problem for BA is that Swissport was only supposed to access particular applications and so may not even have been expected to access personal data. However, if there was some fault them BA would want to see a sufficient indemnity clause in the relevant services agreement which enables BA to reclaim some of the loss. Of course, then there would be a discussion to be had over whether the data breach and ICO fine were caused by the original breach or at least partly by the obvious vulnerabilities and (it has to be said) bad practices on the part of BA. If a third party can access our systems then, although this won’t excuse our own failures, we probably need our agreement to cover robustly even the remote risks.
3. You own the mistakes you buy
It seems Marriott didn’t get to do a very full due diligence when it acquired Starwood in 2016 (often you get a few days, and in this case it was a competitor they were acquiring). Not that in this case due diligence would necessarily have revealed anything as Starwood was also unaware of the problem.
Takeaway: Do as much due diligence as reasonably possible – there was no GDPR in 2016 (actually there was or was about to be) but nowadays we know we can clearly be acquiring a sizable regulatory problem. Do warranties based on “knowledge” make sense? (for the target they clearly do – for the acquiror not so much). If we acquire something that contains a vulnerability at what point does that cease to be the responsibility of the vendor and we should have discovered or fixed it? Should warranty claims relating to security be entertained for longer than for other business issues?
4. We still don’t know how fines are calculated
ICO’s penalty-setting methodology seems all very well in theory: 1. Removing any financial gain obtained from the breach; 2. an amount to “censure” the scale and severity of the breach; 3. an addition for aggravating factors; 4. an addition for deterrent effect on others; and 5. a reduction for mitigating factors. However, we have no idea where the amount in 2. comes from. There are a few crumbs in the ICO’s Regulatory Action Policy: the number of individuals affected, the damage done, the sensitivity of the data (not limited to special categories)… But Eden Legal would say that these decisions are weak in justifying the amounts involved and don’t fully fulfil the stated aim of the ICO’s RAP that “Organisations should be able to predict how my office will carry out its regulatory activity”.
Takeaway: Reportedly, Marriott has agreed not to appeal the decision so we won’t have the benefit of a court’s interpretation in that case. All we can really do for now is review decisions from across the GDPR area which may help set some benchmarks. Of course, from 2021, the “sovereign, independent” UK may diverge from these depending on how the UK GDPR and relations with EU counterparts develop.
5. General principles of the GDPR may trump the specific ones
The ICO’s decisions were taken based on GDPR Article 32 (Security of processing) and Article 5(f) (Principles – integrity and confidentiality). These provisions clearly overlap – but according to Article 83, fines for a breach of Article 32 can go up to EUR 10 million while fines for a breach of Article 5 can be up to EUR 20 million. The ICO’s approach is to apply the highest category for “the gravest breach”.
Takeaway: It seems a tough result, as a breach of Article 32 will almost always be a breach of Article 5 – and Article 5 is so broad that this will be true in more cases. However, for practical purposes we have to assume that the higher category will always apply.
6. Data Protection by Design didn’t feature – but it will
GDPR Article 25 obliges data controllers to apply principles of data protection by design “both at the time of the determination of the means for processing and at the time of the processing itself”. In Marriott’s case, a reference to Article 25 in the ICO’s Notice of Intent to issue a penalty was an error; in BA’s case, the Notice of Intent initially found that BA had infringed Article 25 but did not rely on this in the final decision. Although these decisions relate to systems designed before GDPR entered into effect, Article 25 is an ongoing obligation. However, that obligation is hard to separate from the GDPR’s general security obligations and the ICO did not find it necessary to enter into that discussion this time.
Takeaway: Data protection by design in particular involves fairly nebulous concepts and may easily be overlooked in favour of more concrete obligations under GDPR. However, as the GDPR ages, it will be harder to ignore. We should involve all relevant stakeholders early in security and design decisions. We should also document the decision-making process and be in a position to show that these principles were taken seriously. Data protection by default (data minimization) is easier to work on. But the ICO’s approach seems to indicate that both of these will be enforced in future (e.g. particularly if we suffer a data breach in relation to personal data that we didn’t need to collect or to have in our systems).
7. What does our insurance cover?
How much of this can be covered by a Technology Errors and Omissions or Privacy/Network Security policy? Do they cover our own actions or also actions of service providers? Eden Legal has seen requests for insurances to cover loss or disclosure of information “no matter how it occurs”. Is this reasonable, insurable, or affordable?
Takeaway: We should check our own policies. And within our data processing contracts too we may want to reinforce the extent of insurance that we want to require from our third party providers. Data controllers may become more insistent on being named as additional insured parties.
8. Cooperation is essential
The ICO’s test is that we should notify not when we “know” but when we can “reasonably conclude that it is likely” a personal data breach has occurred. Voluntarily notifying a serious breach and cooperating fully with any investigation are clear mitigating factors in the calculation of any penalty (potential savings: around 20%).
Takeaway: We need a robust process to evaluate the existence and severity of data incidents; to bring in all relevant management, IT, compliance, legal, PR, customer services, account managers; and decide what needs to be communicated to authorities (not just data protection authorities but possibly also law enforcement, financial services regulators etc.), data subjects, business partners (other data controllers, banks), investors.
9. Rapid and effective communication with and support of data subjects is also essential
Marriott and BA appear to have done this well: Marriott sent an initial email to data subjects and set up a telephone call centre and dedicated webpage; BA notified the data subjects and authorities, issued a press communication, was active on television, on social media and in the press, as well as providing free credit monitoring to affected data subjects and offering to cover any financial losses.
Takeaway: The response will depend on the scale, severity and nature of the data breach but distress caused to data subjects is another key factor in calculating penalties, so any action we can take to avoid or alleviate it, and the speed of that action, will be in our favour.
10. What happens from 2021?
In these cases, as they commenced before the UK left the EU, the ICO was acting as lead authority on behalf of other EU supervisory authorities under the GDPR. From 2021, although the GDPR has been brought into UK law, this coordination of action will (probably – subject to any new relationship being agreed) not exist, so in theory any similar incident affecting data subjects in the EU and the UK could be subject to a double investigation and double penalty from the UK and EU lead authority.
Takeaway: We can’t solve this and it may raise the already high stakes. For example, we might consider that any agreed limitations of liability with international data processors should be higher if any breach might leave us facing double jeopardy from authorities in both the UK and the EU.