GDPR News – Data Breach
Within the past week, the Information Commissioner’s Office (ICO) has signalled its intent to crack down on breaches of data protection law by issuing record fines to two companies. The ICO have issued both Marriott International and British Airways with notices of intention to fine the companies – Marriott International for an amount in the region of £100m, and British Airways for approximately £183m.
It should, however, be noted that at this stage the ICO has only issued a notice of the intention to fine both companies – such notices may be issued in situations where public knowledge of the issue already exists, where there are financial reporting obligations or where it is necessary for international regulatory cooperation. In this case, the notice was issued in response to British Airways’ statement issued on the London Stock Exchange and, in the case of Marriott International, in response to a filing made with the US Securities and Exchange Commission. The full extent of the fine will not be confirmed until a final monetary penalty notice is made by the ICO. Both companies have the opportunity to make representations to the ICO to defend their own position.
Marriott International’s £100m fine related to a cyber security incident which is believed to have begun in 2014. The breach related to attackers compromising the guest database of the Starwood Hotels group – which was subsequently acquired by Marriott International in 2016. It was not until 2018 that Marriott International realised that a data breach had occurred, and a subsequent notification to the ICO was made. The ICO found that Marriott International had failed to adequately investigate the Starwood Hotels group’s data protection compliance program, and that Marriott International should have done more to protect their computer systems.
British Airways’ fine of £183m related to a cyber security incident which begun in June 2018, but was not reported to the ICO until September 2018. Users of the British Airways website were fraudulently directed to another website, from which attackers were able to obtain prospective fliers’ personal information. It is believed that this affected approximately 500,000 users, and that attackers obtained information including payment card details. The ICO found that British Airways had failed to adequately protect their computer systems. The fine constituted 1.5% of British Airways’ worldwide turnover for 2017.
Both cases highlight the strong stance that the ICO and other data protection authorities are taking in response to data protection failures, and the importance of having a robust and strong data protection compliance program.
In particular, the Marriott International fine is a stark remember of the importance of carrying out in depth due diligence when acquiring a company, especially in relation to the target company’s own data protection compliance program. It also provides as a reminder that after the acquisition, the target’s policies and procedures must be updated where necessary. Failure to do so could leave the acquiring company susceptible and at risk of large financial penalties fines as demonstrated in this case.
For more information, contact Matthew Lea on 01189 898 155 or email firstname.lastname@example.org
This reflects the law at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought as appropriate in relation to a particular matter.
Senior Solicitor, Corporate and Commercial Law
Enter your email address for legal updates on Corporate and Commercial law.
Award winning legal advice
We are solicitors in Camberley, Wokingham and London. In 2019, Herrington Carmichael won ‘Property Law Firm of the Year’ at the Thames Valley Business Magazines Property Awards, ‘Best Medium Sized Business’ at the Surrey Heath Business Awards and we were named IR Global’s ‘Member of the Year’. We are ranked as a Leading Firm 2020 by Legal 500 and Alistair McArthur is ranked in Chambers 2020.