In July 2019 the ICO issued its notice of intent to fine British Airways the sum of £183.39m and Marriott Inc the sum of £99.2m for failing to prevent cyber-attacks and therefore breaching their obligations under GDPR. In October 2020, final penalty notices were issued. In both cases, the size of the fine was significantly lowered, with BA being fined £20m Marriot being fined £18.4m.

What went wrong?

The BA attack took place from June to September 2018 and affected around 400,000 customers and staff. The data compromised included names, addresses, payment card numbers and CVV numbers of around 250,000 BA customers.

The ICO found that BA failed to take appropriate measures to prevent or mitigate the attack by:

  1. not protecting supply chain accounts with multi factor authentication;
  2. having poor security and permission controls once perimeter defence had been breached; and
  3. not having better controls, data and tools in place to limit access to applications on a user by user basis.

Marriott's attack related to the systems belonging to its Starwood subsidiary. The attack started in 2014 and was not identified until 2018 – two year after Marriot acquired Starwood. It resulted in the personal data of 339 million guests (of which 30.1 million related to residents of the European Economic Area, with 7 million of those in the UK) being compromised.

Marriott failed to implement appropriate technical and organisational measures. The ICO found that there was insufficient monitoring in place and only limited use of encryption.

In the original notice of intent to fine, the ICO indicated that Marriot's failure to carry out proper diligence during its 2016 acquisition of Starwood was a factor. In the final decision, the ICO makes clear that the fine relates only to the period following 25 May 2018, and therefore leaves open the question of whether the limited information security diligence Marriot carried out during the acquisition was sufficient.

How was the fine calculated?

The ICO firstly assessed the breach, its scale and severity and stated the initial fine.

Both BA and Marriott then received a reduction in the fine for representations made by them and the mitigation steps taken after becoming aware of the breach. In particular, BA promptly informed subjects and worked with various government agencies and the media.

The impact of covid-19 on the businesses also reduced the fine to an extent.

The BA fine is roughly 1.5% of its annual turnover. Based on the "penalty starting point" table ICO's draft statutory guidance on how it will regulate and enforce data protection law in the UK and the fact we no that the breach was not intentional, we can therefore deduce that the ICO has likely considered the BA infringement to be "high" in terms of seriousness. This is the second highest level of seriousness under the matrix.

What can we learn from these decisions?

  • The wider data that you hold should be encrypted, not just payment data.
  • Sophisticated attacks should be expected, particularly for larger organisations. This is why having appropriate security and organisational measures in place to protect the data is so important.
  • The ICO acknowledges that organisations are entitled to place some reliance on independent assessments of information security (for example, Marriot placed reliance on reports of compliance issued by two independent PCI DSS assessors).
  • Regular reviews of the adequacy of security measures are essential.
  • The fact that a system is due to be retired has no impact on obligations under data protection law in relation to information security in relation to the security of that system.
  • While the ICO does not address the question in its final decision notice, organisations should consider what steps they can take to carry out appropriate technical diligence on key systems when acquiring other businesses.
  • When discovering a breach, organisations should take prompt and effective remedial action.
  • In handling a breach, co-operation with the ICO and other relevant government and regulatory bodies is fundamental.
  • Robust representations to an ICO fine can be commercially advantageous.
  • In providing representations, mechanical comparisons with other fines will not be appropriate. Each fine will be decided on a case by case basis.
  • The absence of intention to cause a data breach or make a financial gain is not a mitigating factor, it's an aggravating one.

If you would like to discuss the BA or Marriot fines or your organisation's data security measures, please get in touch with Martin Sloan or Grant Campbell.

Contributor

Martin Sloan

Partner