From £3 million over the course of a year, to a cool £282 million in a single week. That’s the evolution that the ICO has undergone, when it hit the international hotel group Marriott with a mammoth £99.2 million fine just a day after issuing one twice that size – £183 million in total – to British Airways.
These didn’t come without fair warning – the regulation is clear, as are the potential penalties for breaking it. Marriott’s fine represents 0.5% of the company’s revenue, whilst BA’s represents 1.5% – still both short of the 2% lower band fine allowed by the regulation. No business owner can seriously claim to have been in the dark about the potential impact of the GDPR on their organisation.
But what can we learn from these cases?
A wake-up call for personal data protection?
Both Marriott and BA have stated that they plan to appeal to the ICO, but whether this strategy will get them anywhere remains to be seen. Appeals must be made in the next 90 days, and in Marriott’s case in particular, since the ICO has already shown leniency in fining the firm just 0.5% of its revenue, this seems unlikely to get much traction.
BA has 28 days to comply or appeal the decision, and whilst an appeal may result in a reduction it seems highly unlikely that a significant fine will be avoided. Meanwhile, reputational damage has already been done. BA’s parent company, IAG has already seen its stock price hit, and consumer confidence in BA has been shaken.
Ultimately, we are seeing precisely what the GDPR was intended to achieve; a sharp shock for both UK-based and global businesses, and a demonstration of the sharpness of the ICO’s teeth. For a bit of perspective, BA’s fine is 367 times bigger than that issued after the £500,000 Facebook Cambridge Analytica scandal, which occurred pre-GDPR.
History coming back to haunt you?
Marriott’s data breach actually occurred back in 2014, but was only discovered in 2018. This highlights an important and sobering fact – the ICO will consider historical breaches under GDPR if they were discovered and reported after the 25th May 2018. The breach itself occurred within the Starwood hotels group in 2014, which was acquired by Marriott in 2016. This should serve as a warning to organisations employing a growth-by-acquisition strategy, that there is a need to consider historic undisclosed breaches as a significant risk as part of the due diligence process.
The ICO’s statement does not go into the details as to how sensitive data pertaining to around half a million BA customers was compromised. A number of cybersecurity experts, including those from within SureCloud, have speculated that the attack was most likely from vulnerable embedded scripts on BA’s website. While it doesn’t explicitly name the cause, statements that BA released around the time, coupled with the ICO’s statement, are consistent with this.
Meanwhile, on the Marriott side, the hospitality industry has been particularly slow to move around information privacy. This is a wake-up call that the ICO is not just focusing on tech and finance, as some might have predicted.
These fines have seen the ICO acting as the lead supervisory authority on behalf of the other EU member states. Behind the scenes, we suspect the German (DFDI) and French (CNIL) authorities are likely to have placed pressure on the ICO to show a very strong response to shock business out of any GDPR-related despondency. No doubt, too, that CNIL’s £44million fine issued to Google in January 2019 sent a message that action must be taken.
Ultimately, every organisation is different, and it is difficult to definitively prescribe a solution that will help other companies to avoid identical breaches. Nevertheless, there are some general recommendations that make sense for all.
Firstly, strong and well-tested IT controls around any aspect of your service where you handle personal data, particularly in relation to payments or sensitive information, are critical. Concern should be paid to any components which may be loaded into the application at this time, or interact with the data, in these processes. Leveraging testing services that go beyond simple vulnerability scanning is more likely to identify potential risks.
Secondly, most complex business applications are dependent on third parties, either passing data to or leveraging components from them. It is essential that risk-based due diligence around third parties is performed regularly, informed by the data and processes they will be handling or participating in. As has been demonstrated here, BA is being fined even though scripts embedded by third parties are the suspected cause.
And finally – a positive takeaway. BA’s breach was reported to the ICO in a timely fashion and the company has worked closely with the regulator. Perhaps airlines’ culture of learning from disasters made such a company likely to be among the first organisations to report a breach to the ICO following the May GDPR launch, but it is certainly commendable that BA has done so with such transparency. Although this doesn’t appear to have softened the fine, we hope that many more organisations follow suit for the benefit of data subjects.
Written by Alex Hollis, GRC Services Director, SureCloud
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.