The Information Commissioner’s Office (ICO) recently fined British Airways (BA), Marriott International (Marriott), Ticketmaster £20 million, £18.4 million and £1.25m respectively for failures to keep their customers’ personal data secure. These companies suffered separate data breaches in 2018 which resulted in a large number of their customers having their personal data, including credit card details, compromised.
Whilst all these fines are significant (a record fine in the case of BA), what is interesting is the huge change of approach by the ICO which had originally issued notices of intention (“NOIs”) to fine BA an incredible £183.4 million and Marriott £99.2 million back in July 2019. The NOI to fine for Ticketmaster was £1.5M.
Clearly, something has changed. But what is it?
Why were the fines reduced by so much?
The most significant reason for the reduction in the level of the fines issued against the companies appears to be due to the ICO using a fresh methodology to calculate the fines.
For the BA and Marriot NOIs, the ICO had relied on a methodology set out in an unpublished, internal document. This provided that turnover should be the key consideration for the ICO when setting fines under the GDPR. However, BA argued that reliance upon this was unlawful and, ultimately, the ICO decided to depart from this methodology entirely when calculating the fines issued against BA and Marriott. It did not use this methodology for Ticketmaster and hence there was only a small reduction from £1.5M to £1.25M.
Instead, the ICO calculated the fines in line with its Regulatory Action Policy (“RAP”). The RAP sets out a five step process that the ICO must follow when issuing fines. Steps 1 to 4 deal with factors which add to the level of the fine (including, amongst other matters, whether the infringing party obtained any financial gain from their actions and the severity of the infringement). Taking into account these factors alone, the ICO deemed that BA’s breach of GDPR would warrant a fine of £30 million, Marriott’s would warrant a fine of £28 million and Ticketmaster £1.5 million.
However, step 5 of the process requires the ICO to take into account any mitigating factors (a list of which are set out in the RAP) which should result in the fine being reduced.
A number of overlapping mitigating factors were considered to be present in the case of both the BA and Marriott breaches. These mitigating factors included:
- both companies implemented immediate measures to minimise and mitigate the effects of the attacks;
- both companies cooperated fully with the ICO as part of its investigations into the incidents;
- the broad press coverage relating to the cyber-attacks likely raised awareness with other companies as to the risks involved with cyber-attacks; and
- both companies suffered significant reputational loss as a result of the cyber-attacks.
Taking into account all mitigating circumstances, the ICO determined that each company should have their fine reduced by 20% (representing a £6 million reduction in the case of BA and a £5.6 million reduction in the case of Marriott).
Finally, the ICO took account of the impact of Covid-19 on the companies. In the case of both BA and Marriott, this resulted in the fine being reduced by a sum of £4 million. In the case of Ticketmaster this was £250,000.
This is a relatively small amount considering how hard these companies have been hit by the pandemic and suggests that companies should not expect too much leniency for infringements during this time.
Other key take-aways
In addition to the above, a number of other conclusions can be drawn from the enforcement notices. We have set out a summary of these below:
- Importance of security frameworks – the ICO found that the companies should have had in place various security measures (such as multifactor authentication and encryption) which would have either prevented the cyber-security incidents from occurring or at least mitigated their effects. In reaching these conclusions, the ICO referred to guidance from various IT security institutes and bodies, including the National Cybersecurity Centre, OWASP and NIST. As a result, it appears that all companies should have regard to well-known security frameworks when assessing and implementing their security protocols.
- Intent not required for heavy sanctions – both BA and Marriott argued that it was unfair for them to be heavily sanctioned for the cyber-security incidents given that they themselves were victims of the cyber-attacks and not the perpetrators. However, the ICO found that, given their size and sophistication, the companies were negligent in failing to implement proper security measures and therefore the breaches fell within the bracket of the most severe type of infringement under the ICO’s RAP. This is in line with the wording in Art. 83 GDPR which allows supervisory authorities to take into account the “negligent character of the infringement” when issuing fines.
- Act fast and cooperate in the event of a breach – BA and Marriot, both companies had their fines significantly reduced in part due to their speedy action to mitigate the effects of the breach and their cooperation with the ICO. However, Tickmaster’s slowness to respond was perceived to be an aggravating factor. It is clear that cooperating with the ICO in the event of a breach will be received positively.
- Compliance with principles is essential – the companies were all found by the ICO to have violated the principle of integrity and confidentiality under Art. 5(1)(f), as well as the security obligations set out under Art. 32 GDPR. Violation of the GDPR’s principles attracts the highest levels of fines and therefore compliance with these should be considered a priority for all organisations caught by the GDPR.
The latest Ticketmaster fine highlights that the ICO has honed its regulatory enforcement approach and we are unlikely to see the massive reduction in fines as in the cases of BA and Marriot. It also establishes a marker for that future in that we are more likely to see fines in the single and tens of millions instead of hundreds of millions.
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.