Earlier this week, the UK Information Commissioner’s Office (ICO) announced its intent to fine British Airways £183,390 million ($230 million) and its intent to fine Marriott International more than £99 million ($123 million) for violations of the General Data Protection Regulation (GDPR) arising out of data breaches. The ICO investigated the breaches as the lead supervisory authority under the GDPR “one stop shop” enforcement mechanism. Both companies have an opportunity to comment on the ICO’s proposals, and other EU Member State data protection authorities (DPAs) have an opportunity to comment before the ICO renders a final decision.
British Airways announced a data breach in September 2018 affecting personal information for approximately 500,000 customers after hackers installed malware on British Airway’s website that directed customers to a fraudulent site where personal information was accessed. According to a July 8, 2019, ICO statement, “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information.” The ICO’s proposed fine – the highest for a data breach under the GDPR to date – represents approximately 1.5% of the airline’s annual revenue, which is not as high as the GDPR’s ceiling of 4% of yearly turnover.
In November 2018, Marriott notified the ICO of a data breach affecting its subsidiary Starwood, which reportedly compromised personal information for approximately 339 million guests. Marriott acquired Starwood in 2016, but the breach was believed to have occurred in 2014 and was not discovered until 2018. In a July 9, 2019 ICO statement announcing the proposed fine, the Information Commissioner stressed the importance of performing sufficient data protection due diligence as part of a corporate acquisition.
The ICO is proving to be an activist data protection authority under the GDPR, but it is not the only member state DPA to flex its enforcement muscles. In January, the French DPA fined Google $57 million for the “misuse of personal data” of its users. The Irish DPA is currently investigating Facebook’s data security practices after a massive data breach affecting 50 million accounts occurred in September 2018, and the social media giant’s fine could reach around $1.63 billion should the maximum penalty be imposed. The two significant fines proposed by the UK ICO for the British Airways and Marriott data breaches indicate that DPAs are looking beyond social media companies and tech giants when potential compliance violations are identified, especially in the wake of a data breach.
Article 33 of the GDPR requires controllers to notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it…unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Some DPAs have stressed the need for companies to evaluate this harms-based threshold for filings. The fines may result in increasing the number of reports of possible data breaches to DPAs as companies conservatively elect to report, but companies must consider applicable reporting obligations in other jurisdictions, recognizing that any breach notification can trigger an investigation of a company’s security practices by relevant regulators.
Breach notification in the United States remains complicated because the reporting thresholds are not consistent, as our state data breach notification resource indicates. It remains critical for companies to establish sound data security, breach identification, breach management, and breach reporting procedures consistent with not only the GDPR, but all applicable laws where they operate.