The U.K. Information Commissioner’s Office (ICO) announced headline grabbing proposed fines against British Airways and Marriott International, Inc. for alleged violations of the EU’s General Data Protection Regulation (GDPR).
Why it matters: The ICO’s proposed fines illustrate the authority it intends to wield with respect to enforcing the GDPR. Just over one year since the GDPR went into effect (May 25, 2018), the ICO is making a statement against iconic British and American brands, and its actions underscore the need for incorporating privacy and security into M&A due diligence processes as well as everyday business operations. The proposed fines are a reminder that regulators in certain jurisdictions have been granted significant authority under comprehensive data protection legislation being adopted globally, including under the California Consumer Privacy Act. It remains to be seen whether the companies can reduce the proposed fines through substantive arguments, such as British Airways’ apparent intent to argue that no persons were harmed by the security matter, or Marriott’s ability to demonstrate that it exercised reasonable due diligence prior to acquiring Starwood.
What happened: First, on July 8, 2019, the ICO announced its intention to fine British Airways £183.4 million ($230 million) in connection with a 2018 cybersecurity matter. The fine would amount to approximately 1.5% of the company’s 2017 annual revenue. It is the largest penalty announced to date for alleged GDPR violations. British Airways intends to dispute the ICO’s findings and fine, citing that it found no evidence of fraudulent activity on compromised accounts.
British Airways notified the ICO in September 2018 about the attack, which the ICO alleges began in June 2018 through British Airways’ website and mobile applications and compromised the protected data of nearly 500,000 customers. Specifically, the ICO’s investigation alleges that customer names, addresses, login credentials, payment card information and travel booking details were compromised. The ICO alleges that the breach was due to British Airways’ ineffective security practices but did not publicly release detailed investigative findings.
Second, on July 9, 2019, Marriott announced in a filing with the U.S. Securities and Exchange Commission that the ICO intends to fine it £99.2 million ($123 million) for GDPR violations related to a cybersecurity matter involving the guest reservation database it acquired from the Starwood hotels group in 2016. The fine represents nearly 3% of Marriott’s annual global revenue reported in 2018. Marriott also intends to dispute the ICO’s findings and fine.
The ICO confirmed the proposed fine, explaining that following Marriott’s notification in November 2018, the ICO conducted an investigation. Its investigation allegedly found vulnerabilities within Starwood’s guest reservation database that allegedly compromised protected data of up to approximately 339 million customers, including 7 million U.K. residents and 23 million residents of other EU countries. According to Marriott’s security incident notice, the Starwood guest profiles allegedly were compromised starting in 2014 until Marriott discovered the vulnerability in September 2018. The protected data included customer names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, loyalty program information, travel booking details and encrypted payment card information. The ICO alleges that Marriott (i) failed to exercise sufficient due diligence by not assessing the protected data and security controls it was acquiring from Starwood; and (ii) should have done more to secure the Starwood systems after integrating the two companies. In this matter also, the ICO has not publicly released any detailed investigative findings.
Under Article 32 of the GDPR, data controllers and processors are required to implement appropriate technical and administrative controls, policies and procedures to protect personal information of EU residents and “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,” among other things. Article 32 allows companies to take a risk-based approach, without prescribing specific security requirements. The often discussed and feared Article 33 requires companies to report breaches within 72 hours of discovery and can result in fines as great as 4% of the company’s annual revenue.
Despite citing British Airways’ and Marriott’s cooperation and subsequent security enhancements, the ICO, serving as the lead supervisory authority on behalf of other EU member state data protection authorities (DPAs), announced the two fines in consultation with other DPAs. The DPAs whose residents allegedly have been affected will have an opportunity to comment on the ICO’s findings. Additionally, prior to finalizing its decision, the ICO will provide British Airways and Marriott with the opportunity to respond. Again, both companies plan to contest the ICO’s findings and penalties.