Skip to content

What the Information Commissioner’s BA and Marriott mega-fines mean – take notice but wait for the final verdicts

Insight

Data Protection

The announcements by the ICO of its intentions to fine British Airways and Marriott Hotels £183.4m and £99.2m respectively for data security breaches have caught the headlines for good reason. Indeed, these penalties would become the first and second biggest fines of the GDPR era, should they go through without substantial reduction.

However, while these eye-watering sums are obviously important to highlight, it is too early to seek to draw any firm conclusions from them in terms of how to improve data security practices. This is for the following main reasons:

  • At this stage, these are notices of intentions to fine only. BA and Marriott each have 28 days to respond before the ICO takes a final decision. While we can be pretty sure that the ICO is confident of its grounds, it would be sensible to wait for the ICO’s monetary penalty notices to confirm this
  • And what are those grounds? All that we have are two relatively short statements from the ICO issued because the affected companies made announcements to the SEC/ the public markets of the likely (financial) impact of the fines once they received the ICO’s notices of intention to fine
  • We will see the details when we see the ICO’s final monetary penalty notices. That will be where the value lies in understanding where the ICO believes the companies failed to comply with data protection law. That is where others will find value in the lessons that they can learn from this and the steps that they might need to take.

While these are of course big fines for big companies, it is not just airlines, hotel groups and other global corporate organisations that have been fined for data security missteps. In May 2018 (when the Data Protection Act 1998 was still in force), the University of Greenwich and the Bible Society were fined £120,000 and £100,000 respectively for failing to understand fully and secure properly their IT infrastructure and networks against malicious cyber attacks.  Indeed, since the ICO gained fining powers in 2010, data controllers receiving fines for data security failings have come from diverse sectors, including charities, educational institutions, local government, NHS trusts, and a range of businesses, including financial services firms and online traders.

Taken together, these fines under the 1998 Act show a number of themes in the ICO’s approach to data security, and what can constitute ‘inadequate’ protection for personal data.  Common failures include insufficient understanding of IT systems; no use of multifactor authentication; not enough use of encryption; allowing unrestricted downloads to removable devices (eg USB sticks); poor decision making when responding to ransomware attacks; inadequate risk assessments and monitoring; and retaining personal data for longer than is necessary. Another common thread in the ICO’s enforcement action is a lack of sufficient policies, procedures and training for staff on data protection and information security matters.

So what can we conclude, for now, from the news about BA and Marriott? It does seem clear that the ICO is not afraid to impose big, ‘competition law style’ fines, calculated as a percentage (at a maximum of four per cent) of the data controller’s annual global turnover. It remains to be seen, however, what this means for other data controllers who have perhaps much less personal data, or much less sensitive data, and more obviously limited resources for improving data protection policy and practice. Once we see the final monetary penalty notices for BA and Marriott, we will analyse what they indicate to us about the ICO’s approach to data security, enforcement and wider data protection regulation and we will let you know what we conclude. Until then, don’t cancel your summer holiday plans...

If you require further information about anything covered in this briefing, please contact Ian De Freitas, Owen O'Rorke or Alan Baker, or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, July 2019

Want to know more?

Contact us

About the authors

Ian De Freitas lawyer photo

Ian De Freitas

Partner

Ian has over thirty years' experience as a commercial litigator. He specialises in disputes involving data, technology and intellectual property. Ian leads the firm’s Data, IP and Technology Disputes team. 

Ian has over thirty years' experience as a commercial litigator. He specialises in disputes involving data, technology and intellectual property. Ian leads the firm’s Data, IP and Technology Disputes team. 

Email Ian +44 (0)20 3375 7471
Owen O'Rorke lawyer photo

Owen O'Rorke

Partner

Owen is a rights specialist with expertise in data protection and intellectual property, and considerable experience in both contentious and advisory contexts. He is a recognised authority in information sharing and data privacy in schools, fundraising, and the sports sectors, with a particular interest in safeguarding.

Owen is a rights specialist with expertise in data protection and intellectual property, and considerable experience in both contentious and advisory contexts. He is a recognised authority in information sharing and data privacy in schools, fundraising, and the sports sectors, with a particular interest in safeguarding.

Email Owen +44 (0)20 3375 7348
RGB

Alan Baker

Partner

Alan advises on all aspects of data protection law, commercial contracts and the use of information and intellectual property assets, as well as commercial regulatory issues. He helps clients to balance the sometimes competing objectives of minimising compliance risks and maximising commercial rewards.

Alan advises on all aspects of data protection law, commercial contracts and the use of information and intellectual property assets, as well as commercial regulatory issues. He helps clients to balance the sometimes competing objectives of minimising compliance risks and maximising commercial rewards.

Email Alan +44 (0)20 3375 7441

More by the authors

Further reading

Related sectors & services

Continue to next section
Back to top