On Oct. 30, 2020, the United Kingdom’s data protection authority, the Information Commissioner’s Office (ICO), in connection with France’s Commission nationale de l’informatique et des libertés (CNIL), announced the largest security fines, jointly imposed by the authorities under the General Data Protection Regulation (the GDPR), against British Airways and Marriott International Inc. (Marriott). The fines levied against the two companies totaled more than $50 million.
The fines follow investigations into well-known data security breaches in 2018. In the case of British Airways, the data hack involved approximately 430,000 individuals and included the breach of their names and addresses and, for more than 200,000 data subjects, their sensitive bank account information (including credit card numbers and CVV codes). With respect to Marriott, 339 million customer accounts were affected, including 30 million European accounts containing names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status, and loyalty program information.
This is ICO’s first major fine under the GDPR. ICO worked with CNIL under the GDPR’s “one-stop shop” provision. Pursuant to the one-stop-shop cooperation mechanism, ICO’s draft decisions were sent to other European data protection authorities and carefully examined by CNIL. This is a key process under the GDPR, where the leading authority has to coordinate with and work alongside other European regulatory bodies in countries affected by a breach. Findings and proposed fines are shared by the leading authority with the applicable regulatory bodies, which review the proposed fines and hold discussions with the leading authority on the review process implemented before confirming the proposed fines or recommending revisions. CNIL endorsed the final outcome before the decision, and fines were published by ICO this past week. Under the GDPR, a company subject to a breach is also given an opportunity to argue, comment and make written observations on a proposed fine after being notified of the proposed fine.
ICO levied a fine of £18.4 million (approximately $23.9 million) against Marriott. This amount is a significant decrease from the originally proposed fine of £99,200,396 (approximately $124 million) announced by ICO in July 2019. ICO’s fine was measured from the point at which the GDPR came into force (May 2018) and is the second-largest fine levied by ICO thus far under the GDPR.
In calculating its fine, ICO took into consideration that (i) Marriott did not gain any financial benefit from the breach, (ii) the nature of Marriott’s data security and information technology failures were of significant concern, as there were multiple measures Marriott could have employed to detect the attack earlier and (iii) significant distress was caused to individuals, which was evidenced by the likely cancellation of payment cards and the 57,000 calls received by Marriott’s call center following the breach. In reducing the proposed fine, ICO considered (i) the representations made by Marriott, (ii) steps Marriott took to mitigate the impact of the incident and (iii) the economic impact suffered by Marriott as a result of the COVID-19 pandemic. Marriott’s mitigation efforts included implementing password resets and enhanced detection tools and disabling accounts known to be compromised. Further, Marriott set up a dedicated incident website in a number of languages and a call center, and took a number of other steps to assist and reassure data subjects. ICO also considered the fact that Marriott had fully cooperated with ICO’s investigation.
On Oct. 16, 2020, ICO announced a fine of £20 million (approximately $25,850,000) for British Airways. This fine too was a significant decrease from the proposed fine of £183,390,000 (approximately $230,000,000) announced by ICO in July 2019; but while 90% less than initially proposed, the fine remains the largest fine imposed to date by ICO.
In calculating the fine, ICO took into account British Airways’ representations in response to the original Notice of Intention to fine and additional technical information that British Airways submitted, together with the factors listed in Article 83(2) of the GDPR, which include the nature, gravity and duration of the infringement, the number of data subjects affected and the damage to them, and steps taken to mitigate the impact of the incident. Mitigating factors included the fact that British Airways (i) did not gain any financial benefit from the breach, (ii) notified ICO promptly on becoming aware of it, (iii) had no relevant previous infringements and (iv) offered to compensate individuals for financial loss suffered as a direct result of the theft of their card details.
ICO stated that British Airways had cooperated fully with the investigation and noted the improvements British Airways had made to its IT security since the breach. ICO further reduced the fine by 20% (to £24 million) to account for these mitigating actions, and reduced the fine by another £4 million to reflect the economic consequences of the COVID-19 pandemic.
Companies who are subject to a breach should:
As evidenced by ICO’s rulings in British Airways and Marriott, timely reparative actions play a key role in determining fines imposed by data protection authorities under the GDPR. In addition, a company’s financial health, the harm it suffered as a result of the breach and the impact of major world events — such as a global pandemic — may be important factors in the evaluation of appropriate fines, and evidence of such should be emphasized.