The announcements by the ICO of its intentions to fine British Airways and Marriott Hotels £183.4m and £99.2m respectively for data security breaches have caught the headlines for good reason. Indeed, these penalties would become the first and second biggest fines of the GDPR era, should they go through without substantial reduction.
However, while these eye-watering sums are obviously important to highlight, it is too early to seek to draw any firm conclusions from them in terms of how to improve data security practices. This is for the following main reasons:
- At this stage, these are notices of intentions to fine only. BA and Marriott each have 28 days to respond before the ICO takes a final decision. While we can be pretty sure that the ICO is confident of its grounds, it would be sensible to wait for the ICO’s monetary penalty notices to confirm this
- And what are those grounds? All that we have are two relatively short statements from the ICO issued because the affected companies made announcements to the SEC/ the public markets of the likely (financial) impact of the fines once they received the ICO’s notices of intention to fine
- We will see the details when we see the ICO’s final monetary penalty notices. That will be where the value lies in understanding where the ICO believes the companies failed to comply with data protection law. That is where others will find value in the lessons that they can learn from this and the steps that they might need to take.
While these are of course big fines for big companies, it is not just airlines, hotel groups and other global corporate organisations that have been fined for data security missteps. In May 2018 (when the Data Protection Act 1998 was still in force), the University of Greenwich and the Bible Society were fined £120,000 and £100,000 respectively for failing to understand fully and secure properly their IT infrastructure and networks against malicious cyber attacks. Indeed, since the ICO gained fining powers in 2010, data controllers receiving fines for data security failings have come from diverse sectors, including charities, educational institutions, local government, NHS trusts, and a range of businesses, including financial services firms and online traders.
Taken together, these fines under the 1998 Act show a number of themes in the ICO’s approach to data security, and what can constitute ‘inadequate’ protection for personal data. Common failures include insufficient understanding of IT systems; no use of multifactor authentication; not enough use of encryption; allowing unrestricted downloads to removable devices (eg USB sticks); poor decision making when responding to ransomware attacks; inadequate risk assessments and monitoring; and retaining personal data for longer than is necessary. Another common thread in the ICO’s enforcement action is a lack of sufficient policies, procedures and training for staff on data protection and information security matters.
So what can we conclude, for now, from the news about BA and Marriott? It does seem clear that the ICO is not afraid to impose big, ‘competition law style’ fines, calculated as a percentage (at a maximum of four per cent) of the data controller’s annual global turnover. It remains to be seen, however, what this means for other data controllers who have perhaps much less personal data, or much less sensitive data, and more obviously limited resources for improving data protection policy and practice. Once we see the final monetary penalty notices for BA and Marriott, we will analyse what they indicate to us about the ICO’s approach to data security, enforcement and wider data protection regulation and we will let you know what we conclude. Until then, don’t cancel your summer holiday plans...
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2019