A Fine Mess: the U.K. Information Commissioner's Office's proposed GDPR fines

Canadian Lawyer Online — IT Girl Column
 

The calm of the lazy, hazy July summer was recently shattered by two announcements from the U.K. Information Commissioner’s Office that sent a shiver down the spine of many companies.  Demonstrating that Europe’s privacy regulators are not afraid to flex their muscles and use their authority to levy significant financial penalties to drive compliance with the EU General Data Protection Regulation, the ICO’s proclamation of its intention to levy significant fines against British Airways and Marriott International, Inc. showcases the truly incredible power of increased financial penalties under this law.

The proposed British Airways penalty, representing 1.5 per cent of the airline’s world-wide turnover for the financial year ending December 31, 2017, is the largest ever proposed fine to date under the GDPR and comes slightly more than a year after the GDPR became the law of the land in Europe. The fine eclipses both the $818,597 earlier fine levied against Facebook in connection with its involvement in the Cambridge Analytica incident that had been decided under the older predecessor European Directive and the $73,523,063 fine levied against Google LLC by France’s National Data Protection Commission for GDPR violations regarding Google’s lack of transparency, inadequate information and lack of valid consent regarding ads personalization.

Firstly, on July 8, the ICO issued a notice of its intention to fine British Airways $300,245,081 for infringement of the GDPR stemming from a serious cyber-incident that had occurred in June, 2018 and that had been initially reported to the ICO on September 6, 2018 and subsequently on October 25, 2018. 

By diverting customers to a fraudulent website and app, hackers misappropriated the payment card details of 380,000 customers, including their names, addresses, emails and credit card details (card numbers, expiration dates and security codes) who had booked flights between August 21, 2018 and September 5, 2018. 

Ultimately the security and personal information of over 500,000 travelers were compromised.  The ICO’s notice stated that its investigation found that BA’s “poor security” had contributed to the incident, including security relating to login, payment card and travel-booking details as well as the storage of customer address information.

The ICO has been investigating this case as lead supervisory authority on behalf of other EU member state data protection authorities and under the GDPR’s one-stop-shop provisions, the EU data regulators whose residents have been affected will also have the chance to comment on the ICO’s findings. 

British Airways has been “cooperating” with the investigation and has, according to the ICO, made a number of improvements to their security arrangements. In accordance with the law, the company has the right to appeal and make representations to the ICO regarding the regulator’s findings and sanctions.

Only one day later, on July 9, the ICO struck again, announcing that it planned to fine Marriott $162,410,333 for GDPR infringements relating to a cyber-incident that was reported to the ICO by Marriott in November 2018, but that actually dates back to July 2014 and involves the systems of another company acquired by Marriott; Starwood Hotels & Resorts Worldwide, LLC.

Marriott purchased Starwood Hotels in September 2016 but had kept Starwood’s reservation databases separate from its own until December 2018. At the time of the merger, Starwood had 21 million members in its loyalty programs and given the nature of its business had collected considerable personal information relating to its customers.

On September 8, 2018, Marriott received an alert from an internal security tool that there had been an attempt to access its Starwood guest reservation database. Following consultations with security experts, Marriott ultimately learned that hackers, using remote access trojan malware, had gained unauthorized access to and could surveil the Starwood network and had being doing so since at least 2014. 

The details of this data breach are truly staggering, involving 383 million guest records, 18.5 million encrypted passport numbers, 9.1 million encrypted payment card numbers, 385,000 valid card numbers in addition to 5.25 million unencrypted passport numbers. 

Additional information became available in November 2018, following further investigation by Marriott but the company acknowledged that data thieves were able to access some combination of people’s names, mailing addresses, phone numbers, email addresses, gender, passport numbers, Starwood loyalty program account information, dates of birth, gender, arrival and departure information, reservation dates and communication preferences. Anyone who made a reservation at a Starwood property on or before September 10, 2018, was potentially affected, including such Starwood brands as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, and other hotel and timeshare properties.

The ICO noted that of millions of guest records that were exposed by the incident, approximately 30 million records related to residents of 31 countries in the European Economic Area, with seven million relating to U.K. residents.

Like the British Airways case, other EU data protection authorities whose residents have been affected will also have the chance to comment on the ICO’s findings. Marriott has the right to appeal and make representations to the ICO regarding the regulators’ findings and sanctions.

Regardless of whether the ICO ultimately reduces the proposed fines that will ultimately be payable by British Airways and Marriott, there is no question that breaching the GDPR risks the imposition of significant financial penalties. For example, organizations in breach of GDPR can be fined up to 4 per cent of annual global turnover or $29,429,392 (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements of the GDPR (e.g. not having sufficient customer consent to process data or violating the core of privacy by design concepts).

The GDPR also provides for a reduced tier of fines, including fines of up to 2 per cent of annual global turnover or $14,714,696 (whichever is greater) for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.

While both statements from the ICO are rather short on detail – just how did British Airways and Marriott breach the GDPR? – there is a good chance that one if not both of these organizations stand accused of breaching Article 5 (1)(f); GDPR Principles relating to processing of personal data.

This section of the act requires “personal data” to be: “processed lawfully, fairly and in a transparent manner in relation to the data subject…and be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

In addition to these legal obligations, “controllers” are responsible for, and must be able to demonstrate compliance with, the above obligation (“accountability”).

So what are the (interim) lessons to be learned from the ICO’s recent announcements? 

Most obviously, that EU regulators are not afraid to assert their considerable authority against organizations that they determine are subject to GDPR compliance requirements, (including those that are not EU-based entities), if there has been significant evidence of non-compliance.  Moreover, companies cannot fake GDPR compliance and expectations of what constitutes “appropriate technical or organizational measures,” according to the GDPR, to protect sensitive personal information and the technology systems/platforms where such data resides are high. 

Additionally, and as demonstrated by the Marriott case, neither the ignorance of a purchaser nor its failure to exercise all necessary due diligence (and engage in required post-closing cleanup) will act as an excuse or a shield against GDPR non-compliance, even if the actual security/data breach occurred against a then-unrelated company prior to the acquisition. As UK Information Commissioner Elizabeth Denham (former Information and Privacy Commissioner for British Columbia) commented vis-a-vis the Marriott fine, “organizations are accountable for the personal data they hold, including carrying out proposed due diligence when making a corporate acquisition and putting in place proper accountability measure to assess not only what personal data has been acquired but how it is protected.”   

So it behooves any organization that may subject to the GDPR (including Canadian companies) to get their data house in order, ensure that they have adequate security programs (including reasonable technical and organizational measures and accountability measures) in place, engage in rigorous cyber due diligence if they plan to acquire other businesses and plug any security gaps identified following the purchase of another organization. It will be interesting to see whether either British Airways or Marriott manages to convince the ICO to lower the fines that will be applied to them – continue to watch this space for more details.  

This article originally appeared as Lisa's IT Girl column in Canadian Lawyer Magazine