Much has already been written about the UK Information Commissioner’s Office (ICO) decisions to fine large household names around Marriott and British Airways €100m and €200m respectively. And, following on from the French regulator's (CNIL) decision earlier in the year to hit Google with a €50m fine, it would seem that we are now beginning to see the types of fines that data protection leaders warned of in those balmy days pre-GDPR.
We’re yet to see the final notices in either of the two recent cases, but there would appear to be some obvious lessons which follow an established theme that must act as a warning – pour encourager les autres.
Firstly though, some context – neither fine has yet been levied; in essence, the notices of intent start the bargaining, with each company having opportunity to present their case and any mitigation. This will start directly with the ICO which may agree a reduction, then be followed by an appeal to a tribunal. If the companies do accept the final verdict proposed the ICO following their mitigation, there will also almost certainly be an early payment ‘discount’ – so the chances of the whole of that €300m (and change) heading into the coffers of Her Majesty’s Government (not the ICO itself, note) are relatively slim.
Still, the figure is a starting point and certainly has grabbed headlines – the reputational impact on both companies from the initial breaches was not insubstantial, and, now more than half a year later, is continuing to make headlines.
There is a supposition too that it is not just the ICO putting a marker down for companies. The ICO has a reputation as a pragmatic and ‘business friendly’ regulator – its guidance is excellent, and it has recently offered the innovative ‘sandbox’ programme to give companies the space to innovate without the threat of enforcement; in effect a guided and supervised Data Protection Impact Assessment. In this case though, it’s highlighting its willingness to the use the ‘teeth’ of the new regulation; making a strong argument for retaining a more regular invite to the European Data Protection Board which it will otherwise lose post-Brexit.
So, to the ‘meat‘ of the cases, such as we know them. Although both relate to security breaches, the lessons from each are slightly different. British Airways would appear to be a straightforward security failure – speculation is that third party script was placed on the app and website but, until the ICO publishes its final decision note and the nature of the breaches (it will not of course go into technical details), we won’t fully understand the logic of the decision. In terms of scale of breach, it was considerable, with direct financial impact for some individuals – and clearly the ICO has assessed that British Airways should have done better.
Marriott’s issues also relate to a security breach, but have potentially broader implications. They relate to company mergers and the due diligence and processes that have to be in place where this happens. In this instance, having taken on the Starwood chain and customer database, Marriott bought (without) realising a long-term vulnerability and did not identify it in the subsequent period leading up to the breach. It didn’t matter that the vulnerability was there prior to the purchase – in buying the business, it also bought the risk and the responsibility for sorting it out.
This isn’t the first time that we’ve seen the ICO fine companies for failure relating to data-handling failures within groups. The Equifax (UK) Ltd. fine in 2018 (under the 1998 Data Protection Act) related to poor controls between group companies – the breach was actually caused by the US parent but, under UK and EU law, the UK subsidiary was the Controller and so subject to direct enforcement for failing to properly control the actions of its Processor – in that case its US parent – leading to a breach of data that shouldn’t have continued to be held following a cyber attack.
While the Marriott case reverses the position, the underlying issues are similar – lack of controls around data within a group of companies operating together, and a vulnerability in one part directly affecting the operations and reputation of the others.
The fact here is that, in both cases, the breach simply provided a foot in the door. Again, we have not yet seen the detail of the ICO’s findings in the Marriott case, but it’s clear that the complexity data protection in the context of multinational groups will not be a mitigating factor, going forward.
So, what do we do? Where should we prioritise? Effective risk management is key – identifying where the problems may arise in processing, adding in risks like M&A activity and working closely with cybersecurity teams to identify and fix vulnerabilities. Investing in Governance, Risk and Compliance (GRC) support and technology won’t necessarily get you off the hook but it will at least give you a far better story to tell if – when – the worst happens.
Eclipsing the previous high watermark of the CNIL’s fine in early 2019, the two notices of intent from the ICO answer and, in some style, the question that some were beginning to ask on whether the GDPR would live up to the hype – whether it has teeth. They will also refocus minds, acting as a timely reminder one year on from the regulation coming into force. If the notices serve to raise awareness and remind and encourage organizations of their responsibilities around security and privacy practices, that has to be a good thing.