Since the start of July, the ICO has announced its intention to fine Marriott International and British Airways £99.3m and £183.39m respectively for breaches of the GDPR. Those staggering fines both came after a very quiet year immediately following the introduction of the GDPR - the calm before the storm, as it turns out.
Given the sheer size of the intended fines, and the dates of the incidents leading to them (thought to have been June 2018 in the case of BA, and 2014 in the case of Marriott), it's fair to assume that the ICO has been investigating both matters for quite some time. The Marriott breach was actually suffered by Starwood Hotels Group before Marriott bought Starwood in 2016 (and pre-GDPR), so Marriott 'inherited' the liability. However, it seems that the Marriott fine relates not only to the original breach, but also a failure of Marriot's due diligence when it was planning to buy Starwood, as well as a subsequent failure by Marriot to secure its data properly after it had bought Starwood.
There's still some way to go before any money is paid to the ICO because BA and Marriot both have an opportunity to appeal, but the ICO has clearly shown that it isn't going to be pulling any punches. Even if the final fines were to be reduced quite substantially they'd still be hefty and certainly way in excess of the previous joint record of £500,000 that Facebook was fined (for the Cambridge Analytica breach) and Equifax for the release of data about 15 million UK residents. Admittedly those fines were under the pre-GDPR regime and would certainly have been higher had there not been a £500,000 cap, but we’re very much into new territory with fines of tens of millions of pounds.
I’d be surprised if the board of BA consider themselves to be lucky, but if they're looking for a silver lining to their cloud they may take a crumb of comfort from the fact that a maximum fine of 4% of annual turnover would have been nearer £500m.
So what can we learn from these fines:
- the ICO takes a very dim view of companies that don't have appropriate security measures to protect personal data. The ICO can and will impose painful penalties; and
- if you’re buying a company, do thorough legal and technical IT and data due diligence. Make sure you know what you’re buying. It seems that the Starwood breach didn't happen on Marriot's watch, but Marriot is now having to foot the bill.
Looking at the ICO's recent Annual Report for the year ending on 31 March 2019, it does seem that monetary penalties are seen as an absolute last resort for the worst data breaches. Of the 13,840 personal data breaches reported to the ICO in that year:
- 82.01% were determined to require no further action (either because the organisation in breach had measures in place or had otherwise addressed the breach);
- 17.23% required some further action;
- 0.39% needed an improvement plan or an audit visit; and
- 0.05% resulted in financial penalties being pursued.
British Airways and Marriot are therefore in very rarefied company, but I doubt that is of much comfort to them either.