In the past week, British Airways and Marriott Hotels have been hit with a combined $350 million in fines.
In Britain, summer is here and compliance fines are in the air. This week, the UK’s Information Commissioner’s Office has been handing out GDPR-related fines left and right, starting with British Airways, who received a $229 million (£183 million) fine on Monday July 8th, and continuing with Hotel Chain Marriott, who were fined $123,705,870 (£99,200,396). Both fines were related to the disastrous data breaches the companies suffered in the past year.
British Airways Faces Biggest Fine Ever
On Monday, the UK’s ICO has announced plans to fine airline British Airways £183 million over last year’s data breach. The fine is the biggest ever from the UK’s ICO. British Airways has 28 days to appeal the ruling before it is final.
Last year, British Airways fell victim to a huge data breach in which approximately 380,000 transactions were affected between August and September of 2018. Data breached included financial details of customers.
According to the Information Commissioner “poor security arrangements” at British Airways contributed to the breach of credit card information, and other Personally Identifiable Information (PII) of roughly 500,000 customers.
Namely, British Airways had known of vulnerabilities in their website in the form of 3rd party plugins going back at least a year before the breach was identified. Despite this knowledge, they did nothing to address the issues
Information Commissioner Elizabeth Denham said that the loss of such data is “more than an inconvenience” that companies must “protect fundamental privacy rights.”
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said Denham.
Marriott Fined $123 Million
But the fines didn’t stop there. On Tuesday, The UK's ICO announced that it also intends to fine hotel chain Marriott $123,705,870 (£99,200,396) for last year's data breach.
According to a disclosure from the hospitality giant last year, a data breach exposed the personal identifiable information (PII) and financial information of up to 500 million customers who visited any of the chain's Starwood properties between 2014 and Sept. 10, 2018.
For approximately 338 million of those guests, breached data included PII such as name, mailing address, phone number, email address, passport number, date of birth, gender, and more. Customer payment card information, which was protected by encryption, was also accessed in the breach. 30 Million Europeans were affected in the breach.
As you might imagine, the UK’s ICO was not happy.
"The GDPR makes it clear that organizations must be accountable for the personal data they hold,” said Denham.
“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."
"Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public," Denham said.
Like British Airways, Marriott has 28 days to appeal the fine, and they have indicated that they intend to in a filing with the US Securities Exchange Commission (SEC).
Marriott has not yet faced any fines in the US.
Fines are Going Up
Both these fine comes less than a year after the UK’s ICO fined social media giant Facebook a mere £500,000 for its role in the Cambridge Analytica scandal, which affected nearly 90 million users.
That scandal, which brought Mark Zuckerberg to testify in front of members of U.S. Congress and the E.U Parliament, revealed that British political consulting firm Cambridge Analytica had used data collected for research purposes to target millions of Americans and EU citizens for political advertisements during the 2016 election cycle.
£500,000 may seem like a pittance compared to the damage done (and in my opinion it was), but that fine was the maximum legal amount permitted under the UK’s prior data privacy regulation, the 1998 Data Protection Act.
Now that the GDPR is in full effect, consequences for non-compliance are far more severe—up to 20 million Euros, or 4% of worldwide annual turnover, whichever amount is higher. For comparison, British Airways fine is equivalent to about 1.5 percent of its annual revenue as of 2017.
Proof that UK Companies Haven’t Wasted Their Efforts in Becoming GDPR Compliant
Let’s go back to that 1998 Data Protection Act for a moment. Before May 2018, that law was the only primary data protection law in the UK, which governed all industries and included some requirements in common with the GDPR. But, as we’ve seen, penalties were far lower. This contrast, in light of Brexit, led some to speculate (but not us!) that it was not necessary for British companies to focus their efforts on GDPR compliance.
Luckily, in May 2018, the UK government introduced the 2018 Data Protection Act which supersedes the 1998 act and brings the GDPR into UK law, meaning companies have not wasted their efforts in becoming GDPR-compliant.
When, or if Brexit finally does occur, it will not change that 2018 act which perfectly complements the GDPR, with some variations including the minimum age of consent for information society services (13), and other regional differences that reflect UK law and national security interests.
In short, Brexit or not, the principles of GDPR are also included in the UK’s 2018 Data Protection Act. The onus is still on every company to handle personal data in a responsible manner, which should be normal practice. If that doesn’t happen, we’re sure to see some even bigger fines from the UK’s ICO going forward.