The decision by the Information Commissioner’s Office (ICO) to issue notices of ‘intent to fine’ British Airways and Marriott International is a much needed reality check for organisations that may have been lulled into a false sense of security by minimal enforcement activity since GDPR came into force on May 25 2018. Here, legal and technology experts reflect on what this development means for business
Dianne Yarrow, partner and commercial solicitor, Gardner Leader:
Not long after the first anniversary of GDPR coming into force, the ICO has issued the largest ever fine to British Airways for a data breach relating to 500,000 customers.
Under Article 5 of the GDPR rules, personal data shall be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes… and…processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures (‘integrity and confidentiality)’.
The compromised information in the BA cyber incident included log ins, payment cards, travel bookings, names and addresses. Clearly, BA breached the above Article and the wider GDPR as it failed to safeguard personal data that it was entrusted with.
BA has been issued with a fine amounting to 1.5% of its worldwide turnover in 2017, which far surpasses the previous record fine of £500,000 that Facebook was ordered to pay in the Cambridge Analytica data scandal. The difference in the fines is owed to the change of law between the incidents, namely the arrival of GDPR, which allows a maximum fine of up to 4% of annual turnover. The penalty is substantial. There are various factors considered when setting the level of fine. Amongst others, these include the number of people affected and the level of damage suffered; the negligent character of the infringement; the degree of responsibility of the controller; and the categories of personal data affected by the infringement. Evidently, given the vast number of customers affected and the details compromised, the ICO deemed it fit to order a substantial penalty that sends a strong message to all data controllers.
The first large fine was always going to be hotly contested and in the next 28 days we should learn details of the basis on which BA will appeal the ICO’s decision, together with the ICO’s response to the appeal. The ICO will have to take into account any action taken by BA to mitigate the damage suffered by data subjects, the degree of cooperation with the supervising authority and any other mitigating factors.
Given current GDPR guidelines, it can be reasonably expected that any decision by the ICO will set a strong precedent for future large-scale data breaches. Anyone who has not yet taken steps to ensure they comply with GDPR should revisit what they need to do in the context of their business.
Jon Baines, Data Protection Advisor, Mischon de Reya:
News that the ICO is intending to fine BA £183m and Marriott International £99m is remarkable for a number of reasons.
Firstly, and crucially, these are merely ‘notices of intent’ – recent figures obtained by this Firm under the Freedom of Information Act indicate that nearly one in three ICO notices of intent ultimately either get cancelled or result in a lower final penalty.
Secondly, the legality and fairness of ICO’s investigative procedure has come under serious – and extraordinary – challenge in the recent case involving Facebook, in which the latter is alleging bias, pre-determination and procedural irregularity. It is quite possible that similar arguments will be aired in any challenge to the notices of intent.
Thirdly, the notices of intent were announced initially not by the ICO but by the recipients, under their market notification obligations. To this extent, ICO’s hand has been forced; it will definitely be hoping it has got its factual and legal analyses right, because the challenges coming its way are likely to be robust and costly.
Fourthly, these sums are huge, market-influencing ones. Up until now, people were certainly concerned about GDPR, but this news makes it very clear that fines arising from alleged non-compliance have become a major corporate risk factor.
No one should over-react to this news. But everyone should pay very close attention to developments.
Michael Mittel, CEO, Rapidfire Tools:
This is just like HIPAA in the USA, where it took several years, but eventually fines did become a regular occurrence. In the US, half of organisations with HIPAA violations end up closing down and the same will happen with GDPR. The purpose of the ICO is to enforce the law and to protect the people, not to come to the defence of corporations. To remain compliant with GDPR, senior leaders have got to know their own company, to understand what their company does and how it collects data. Is it part of the company DNA or just something that’s done off-handedly?
The impacts of a GDPR fine can be huge. In addition to the monetary fine, there can be loss of goodwill, damage to the company’s reputation, loss of future business, network downtime, legal fees for years on end, employee morale issues, customer loss of trust and confidence, executive turnover, unhappy shareholder demands. All this can lead to failure of the business. If you aren’t a big company and you don’t have the money to go through an expensive appeal process like BA is doing, a fine may literally shut you down.
Tony Pepper, CEO, Egress:
It’s really interesting that the ICO issued a second intention to fine under GDPR just one day after the BA news broke. By barely drawing breath between the two announcements targeting two household names, they have achieved maximum impact in showing the potential of their extended powers under GDPR. The scale of both fines can leave no doubt in anyone’s mind that we are now operating under very different standards than when the Data Protection Act was enforced.
If it wasn’t clear before, it certainly is now: there can be no hiding place for organisations that fail adequately to protect customer data. If the BA announcement felt like the tip of the GDPR iceberg, the Marriott one has started to show how deep this problem really goes – and what the ICO is willing to do to get to the bottom of it.
Alex Bransome, Virtual Cyber Information Security Officer, Doherty Associates:
According to the ICO report, there were major weaknesses at the front end of British Airways’ data network via its website, which is surprising given that this is where all business critical data on customers is processed. The attack was made possible due to a major web-based vulnerability in the front end of BA’s website, which cyber attackers exploited using a common strain of malware, heavily customised to exploit the vulnerabilities of the BA network.
It was a very well planned and targeted attack that allowed cyber criminals to skim off customer data and credit card details. BA should have been doing more to monitor, test and update its security systems to ensure there were no gaps in their cyber defence that hackers could take advantage of.
Commonly, organisations make the mistake of deploying security systems and then leaving them. This record £183m fine imposed on BA is a warning shot to all other organisations that the ICO is serious about fining anyone breaching GDPR regulations. To keep their front door secure and personal data protected at all times, companies must regularly run security checks and update their security systems to ensure any vulnerabilities are identified and patched so no gaps are left for cyber criminals to exploit. If not, they are leaving their customers’ data exposed, risking a GDPR compliance breach and major reputational damage.
Dr. Guy Bunker, CTO, Clearswift:
With the news that BA has been fined £183m, we have an answer to the question posed at the time of the hack: will we see a substantial fine levied on the company? While there have been a number of breaches since the legislation was brought in last year, this is the first major ICO fine for a GDPR breach in the UK and shows that the Information Commissioner’s Office is willing to fine large companies for losing personal information, in this case 1.5% of their worldwide turnover in 2017. British Airways will now have to redouble their efforts to prove that they and their supplier have a malware-free infrastructure, in order to begin the process of rebuilding trust with customers.
The good news is that the breach was picked up relatively quickly. BA has systems in place that enable it to narrow down both how the incident happened and who was affected. Unlike the TalkTalk incident, where the numbers impacted changed on a regular basis, the BA team appears to have done its due diligence on the event quickly and efficiently.
Finding a second attack is not uncommon, and there may well be more. The sophisticated attacks now carried out by organised criminals are designed to have multiple aspects, so that if one is discovered, secondary or tertiary attacks will be ongoing. Any vulnerability found in an IT infrastructure will be exploited to its maximum, and within that exploit further discovery will be carried out to see what other pieces of malware can be introduced. Once an infection takes hold of an environment, it is often easier to rebuild it from scratch than to try to take out the malware infections one by one – if you miss one because it is hibernating, you could end up back at square one in a few weeks’ or months’ time.
Divya Gupta, Partner, Dorsey & Whitney:
The huge fines facing Marriott for a GDPR breach are a signal to other companies that the regulatory bodies are strictly enforcing the law to protect consumer personal data from loss, damage or theft. When entrusted with personal data, it’s a company’s job diligently to look after it, and for many years businesses have gotten away with not doing so. With further fines like this on the horizon, companies doing business in the EU should look to their American operations too.
Several states are imposing privacy laws in the United States – California leading the pack with the California Consumer Privacy Act – and this means possible future penalties for non-compliance now. Thirty million Europeans were impacted in the Marriott breach; if just 10% of that number were California residents, Marriott would be looking at $300,000,000 in domestic statutory penalties as a minimum for failure to enact reasonable security practices and procedures. The lesson here: this GDPR penalty is a paltry sum compared to what is looming.
Jake Olcott, VP Government Affairs at BitSight:
It has never been more important for board members and corporate executives to understand and manage their organisation’s cybersecurity performance. Poor performance leads to breaches, fines and legal liability, so executives must start treating cybersecurity like other business risks. Receiving ongoing briefings, quarterly reports with quantitative metrics, and developing a more strategic approach to cyber risk are no longer nice to have, they are required.