In the last few weeks, the ICO has confirmed it will not fine British Airways (BA) and Marriott Hotels the £183.9m and £99.2m stated in the original notices of intention.
Instead, in a penalty notice issued on 16 October, it fined BA £20m for a data breach affecting more than 400,000 customers and employees, while on 30 October it fined Marriott £18.4m for failing to keep millions of customers’ personal data secure.
Although the ICO has not confirmed the methodology it used to reach the amounts given in the notices of intention to fine 18 months ago, it is obvious from the reductions and the long delay in finalising the penalties that the regulator has had a significant rethink.
It is significant that since those notices were issued in 2019, the ICO has published its proposed statutory guidance on enforcement, indicating an intention to cap fines at EUR20m (irrespective of the technical possibility of issuing far larger turnover based fines). It would have been problematic for the ICO to finalise fines for BA and Marriott that were dramatically inconsistent with its own proposed statutory guidance.
All of the focus on the delays and lower level of fines creates a real danger that it distracts from the fact that this remains a step change in the ICO’s approach to enforcement, and a significant deterrent to weak data protection practices.
Both cases involved significant breaches of the GDPR obligation to have in place proper technical and organisational measures to ensure the security of data. For BA, the ICO identified serious failures in its use of cybersecurity measures, and a long delay in identifying an attack by hackers that compromised the personal data of more than 400,000 customers and employees.
For Marriott, a company it acquired had failed to prevent and then identify an attack on its systems, which meant that when Marriott integrated that company's IT with its own it exposed personal data in 339 million guest records.
The penalty notices for both go into more detail, but there is a consistent theme – sub-optimal IT security practices and a lack of measures to identify data loss promptly. Companies would do well to focus more on the strong indication the significant fines give of the ICO’s intention to take the ‘technical and organisational measures’ obligation seriously than on the significant reduction of the final fines.
Although the methodology behind the original notices of intention to fine has remained vague, the BA and Marriott penalty notices give much more detail. Some of that detail, particularly on the mitigating factors the ICO considered, will be useful to companies faced with ICO enforcement action.
In the case of BA, the ICO took into account the fact that the airline notified the ICO promptly once it was aware of the breach; it did not gain financially from the breach; there were no relevant previous infringements to be considered; and it offered to compensate individuals who had suffered financial loss. The ICO also commented on BA’s co-operation with its investigation, and gave credit for BA’s improvements to its IT security arrangements after the breach. The ICO also reduced its fine to take account of the economic impact of Covid-19.
For Marriott, the ICO reduced the fine having taken account of similar mitigating factors. Both companies’ representations to the ICO also referred to fines by other European regulators in comparable cases. It is reasonable to conclude that the ICO will have been looking for some degree of alignment with the approach taken by other supervisory authorities in using enforcement powers.
There are three key things for companies to take away from the BA and Marriott fines:
The fines see the ICO showing its hand on a tough approach to companies failing to have proper technical and organisational measures to prevent and discover cyber attacks. Making sure IT security is in order should be top of the to-do list for any company handling significant amounts of customer personal data. The ICO will consider companies to be on fair warning that failures in IT security that contribute to data breaches will result in significant fines. The descriptions of the breaches in the penalty notices make for useful reading.
The mitigating factors the ICO took into account into setting the fines creates a useful play-book for any company facing a breach of its own. Early notification to the ICO, co-operation with the ICO’s enquiries, fixing any IT security problems quickly and taking remedial action with affected customers are all vital.
Finally, companies should not assume that the reduction from the original notified fines means that the ICO will see any future enforcement action as a horse-trading process where it starts with a high fine and inevitably settles on something lower. If anything, companies should probably assume that the ICO has refined and calibrated its approach to penalties, having had its methods challenged in what always looked like test cases with BA and Marriott.