In July 2019, the UK Information Commissioner’s Office (“ICO”) issued two notices of intent (“NOIs”) to fine British Airways (“BA”) and Marriott International Inc. (“Marriott”) for violations of the EU General Data Protection Regulation (“GDPR”), both related to high-profile personal data breaches. The NOIs proposed staggering fines of £183.39 million and £99.2 million, respectively, which would have constituted the largest penalties levied under the GDPR to date. More than a year later, the UK ICO finally issued the long-awaited penalty notices in relation to both investigations, imposing in both cases fines that, while still significant, were greatly reduced from what had initially been indicated – £20 million in the case of BA (a massive reduction of more than £163 million), and £18.4 million in the case of Marriott (an equally surprising reduction of more than £79 million).
Since the GDPR came into force, businesses have been waiting for clear guidelines with respect to enforcement; in particular, how to answer the question: what size of fine can an organization expect to receive in the event of a personal data breach?
We’ve examined the ICO’s penalty notices against BA and against Marriott to try to understand what gave rise to the drastic revisions to the penalty proposals and how the ICO will calculate penalties in the future.
Determining the appropriate penalty
Article 83(1) of the GDPR explains that penalties should be “effective, proportionate and dissuasive”. The ICO’s own Regulatory Action Policy (“RAP”) further explains that “more serious, high-impact, intentional, wilful, neglectful or repeated breaches can expect stronger regulatory action”.
In determining the appropriate fines to impose upon BA and Marriott, the ICO followed the five step process laid out in the RAP (detailed below).
Step 1 – Removing any financial gain from the breach. This step was not deemed to be applicable in either the BA and Marriott cases.
Step 2 – Censuring the breach based on its scale and severity. The ICO took into consideration the nature and gravity of the companies’ data security failures; the duration of the breaches; their negligent nature; the degree of responsibility attributable to the companies; cooperation with the ICO; and the categories of personal data affected.
Taking all such considerations into account, the ICO determined that a penalty of £30 million was appropriate in the case of BA, and £28 million in the case of Marriott. No explanation was given by the ICO as to why these figures represent the appropriate starting point (and not the much higher figures initially published in the NOIs).
Step 3 – Relevant aggravating factors. The ICO did not find any additional, relevant aggravating factors to increase the amount of penalty determined at step 2, in either case.
Step 4 – Deterrent effect. The ICO did not consider it necessary to increase the penalty further to dissuade others, especially given that the ICO did not identify widespread issues or poor practices that would be particularly deterred by the imposition of a higher penalty, in either case.
Step 5 – Reducing the amount to reflect mitigating factors.
The ICO took into account BA’s prompt response to the attack, including the immediate measures taken by BA to mitigate and minimise any damage, and the company’s prompt notification to the affected data subjects, law enforcement and regulatory agencies. The ICO also paid attention to the dissuasive effect of the breach on BA as well as other industry stakeholders and the adverse effect the personal data breach had had on BA’s brand and reputation. In light of these mitigating factors, the ICO reduced the £30 million penalty by 20%, to £24 million.
Similarly, the ICO took into account Marriott’s prompt response to the attack, full cooperation with the ICO, planned security investment into the network infrastructure of the affected subsidiary, and the dissuasive effect of the breach on Marriott and other industry stakeholders. Consequently, the ICO determined that a reduction of the penalty by 20%, to £22.4 million was appropriate.
Covid-19 – The ICO’s regulatory approach during the Coronavirus public health emergency. In line with the ICO’s published guidance regarding their approach to issuing fines amidst the Coronavirus public health emergency, as an additional step, the ICO deemed it appropriate and proportionate to further reduce the penalty in each case by £4 million, bringing the final penalty payable by BA to £20 million, and Marriott to £18.4 million.
Understanding the departure from the NOIs
In the absence of a clear explanation from the ICO, the rationale behind the departure from the NOIs is somewhat speculative. While the ICO discounted the final Marriott and BA fines by £4 million to reflect the impact of the Covid-19, it is possible that the reductions to the amounts initially proposed in the NOIs reflect the financial position of the companies following significant disruptions to the airline and hospitality industries as a result of the pandemic. While the precise details are unknown, advocacy by the companies appears to have gone a long way in both the BA and Marriott cases.
Representations by the companies
The ICO did not provide a clear explanation for its departure from the NOIs. However, it is possible that the dramatic shift was the result of expert advocacy by the companies as part of the “representations” stage of the ICO’s process.
The UK Data Protection Act 2018 provides a mechanism under which a company that has received a NOI can make “representations” to the ICO, which the ICO is then required to take into account when determining the final penalty. This mechanism effectively acts as an initial appeal process whereby the company has the opportunity to advocate for a reduction in the fining amount. In the BA penalty notice, the ICO noted that re-calculation of the penalty following extensive representations was part of the process to ensure “the procedural fairness of the Commissioner’s decision-making”.
Withdrawal of certain ICO claims
While the precise details of the representations are not public, it is clear that the companies succeeded in their argumentation. In both cases, the ICO withdrew several assertions of GDPR breaches in its final penalty notices. In the case of Marriott, the ICO did not pursue violations of Articles 33 and 34 of the GDPR (breach notification requirements) following Marriott’s detailed submission of additional factual and technical evidence, with the ICO specifically noting that their decision was made “in the light of Marriott’s Representations”. In the case of BA, the ICO decided not to pursue the alleged Article 25 violation (data protection by design and by default), although the ICO did not explain the rationale behind this is (and have even specified that it did not agree with BA’s interpretation of Article 25).
Criticism of the fining procedure
In calculating the penalties published in the NOIs, the ICO relied on its Draft Internal Procedure for Setting and Issuing Monetary Penalties (“Draft Internal Procedure”). The Draft Internal Procedure uses the turnover of the organisation as the starting point for determining the appropriate penalty. Both BA and Marriott criticised the use of this guide in their representations for contravening the principle of legal certainty, as the Draft Internal Procedure is an internal document. The ICO, having noted that they considered the detailed submissions each party made on this issue, but without further elaboration, agreed not to utilise the Draft Internal Procedure in calculating the penalty in the final penalty notice.
Important takeaways
Advocacy during the representation stage cannot be underestimated.
As discussed above, representations made by the companies resulted in the ICO withdrawing certain allegations of GDPR breaches and agreeing not to use the Draft Internal Procedure in connection with the calculation of the penalties. The ICO also specifically noted in BA that the “revised penalty of £20m is considerably lower than the original proposed penalty, having taken into account BA’s detailed Representations”, and that they have “clarified certain factual findings that were included in the NOI and/or the draft decision” in light of BA’s submissions. For instance, in the case of BA, despite remaining of the view that the later date of 16 November 2018 is the appropriate end date to consider with respect to the duration of the breach (as it did in its NOI), the ICO instead decided that the infringement period would be regarded as continuing until 5 September 2018 only, having “considered BA’s submissions” (but again, without further details as to its reasoning). Similarly, in Marriott, the ICO noted that “the proposed penalty took account of and reflected the submissions made by Marriott in response to the NOI”. While it is unclear which of the representations affected the re-calculation of the fines (and to what degree), it is evident that the companies’ representations were persuasive.
The ICO will take into account financial hardship and economic circumstances.
The airline and hospitality sectors are arguably among the worst affected industries as a result of the Covid-19 pandemic. The ICO acknowledged in both the BA and Marriott cases that the pandemic had caused a “significant impact” on revenues and the immediate financial positions of the two companies. With respect to the penalties imposed, the ICO took into account both companies’ “overall financial position” in determining that the “imposition of a penalty in the range” being considered “will not cause financial hardship”. While not indicated by the ICO, it seems plausible that the penalties in these cases were revised downward such that the ICO could be comfortable that no financial hardship would arise. However, the ICO’s willingness to impose multimillion pound penalties despite the ongoing crisis is perhaps a warning to other companies that data protection will not be overlooked due to financial pressures alone.
Prompt actions, cooperation and transparency go a long way.
In its penalty notice to BA, the ICO gives credit for BA’s prompt response to the attack and its implementation of remedial measures within 90 minutes of being made aware of the breach. Similarly, the ICO took into consideration as a mitigating factor Marriott’s prompt action to implement technical remedial measures. Further, both BA and Marriott were credited with being forthcoming and cooperative with the ICO and other law enforcement and regulatory agencies, and transparent with data subjects regarding the breach.
The ICO appreciates the potential limitations of transaction due diligence (but considers data security due diligence to be an ongoing obligation).
Marriott acquired the Starwood hotels group in 2016, at which point the group had already suffered the cyber-attack in question (at the time of Marriott’s acquisition of Starwood, Starwood’s IT infrastructure had been compromised for approximately two years). Despite this, the ICO’s penalty notice did not take into account the period between Marriott’s acquisition of Starwood and the date the GDPR came into force (it focussed instead only on the period following 25 May 2018). Consequently, the ICO did not assess Marriott’s due diligence of Starwood or comment on the adequacy of that process. The ICO even acknowledged that there “may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover”. However, the ICO noted that the acquisition of a company is not the only trigger for a due diligence process and that Marriott had an “ongoing duty to ensure that the systems it had acquired from Starwood were GDPR compliant” and that “even if adequate due diligence had been undertaken at the point of acquisition, that would not have removed Marriott’s obligation to ensure, on a continuing basis, that it complied with the GDPR”.
Notification through widespread public engagement may have a deterrent effect.
In its penalty notice to BA, the ICO noted that BA had issued “a press release to 5,000 journalists and commentators, and [was] active on television, social media and in the press about the attack”. It is possible that this level of public engagement by BA contributed to the ICO’s analysis that its penalty did not need to be increased (see Step 4, above) in order to promote the deterrent effect. More specifically, the ICO found that the “widespread reporting in the media of the attack is likely to have increased the awareness of other data controllers of the risks posed by cyber-attacks and the need to ensure that they take all appropriate measures to secure personal data”.
Mitigation should also focus on distress.
Mitigating steps should not focus solely on containing the breach. For example, BA offered to reimburse all customers for any financial losses as a direct result of the theft of their card details, and made free credit monitoring available. The ICO acknowledged that such actions have “gone some way to reassure BA’s customers, and therefore may have reduced or mitigated any likely distress that may otherwise have been caused by the breach” and took such actions into account at Step 5 of its analysis. Similarly, Marriott was credited for creating a bespoke incident website in numerous languages, establishing a dedicated call centre, enhancing its data subject rights programme and providing web monitoring to affected data subjects.
The ICO confirmed that all personal data (and not just financial data) is significant to individuals, and therefore breaches of any personal data may cause distress to the customer. Marriott’s argument that “distress will only arise in cases where they are advised by their banks to cancel their payment cards”, and BA’s argument that “payment card details are the only data which could arguably have any degree of sensitivity”, were both rejected by the ICO.
Not all costs incurred as part of mitigation effort will reduce fines.
As part of Step 5 of its assessment, the ICO rejected BA and Marriott’s submissions that the penalty should be further reduced by reference to certain costs incurred by BA and Marriott as part of their efforts to rectify or mitigate the impact of the personal data breaches. This included, in the case of BA, the cost of providing credit monitoring for customers as well as the appointing of external advisers, and in the case of Marriott the cost of establishing a bespoke website, call centre and web monitoring system (along with other customer-facing remediation activities). In both cases, the ICO did not consider it appropriate to “reduce the penalty by reference to the costs… of taking measures to rectify or mitigate the impact of its infringement”, given that “the fact that mitigating measures were taken… has already been taken into account”. This could reflect the ICO’s underlying position that such costs would not have been incurred if either companies had undertaken great due diligence or performed more rigorous internal penetration tests, and as such should be borne by BA and Marriott.
These costs must, however, be distinguished from investments made into IT infrastructure security, which could, as noted by the ICO in the BA penalty notice, “reduce the risk of a similar attack in the future”. The ICO did take into account Marriott’s budgeted security investment as well as BA’s indication that expenditure on IT security will not be reduced as a result of the impact of Covid-19 as mitigating factors under Step 5.
ICO fines may be imposed for GDPR violations (irrespective of a lack of financial harm or damage such violations give rise to).
The absence of evidence that the personal data breaches resulted in financial harm or damage to data subjects was not considered by the ICO to be a mitigating factor. In Marriott’s penalty notice the ICO noted that it is “not required to investigate the existence or otherwise of financial damage”. Further, it appears that the ICO may take into consideration alternative plausible outcomes in determining the seriousness of the failures at Step 2. For instance, the ICO considered the scenario whereby BA was never alerted to the breach by a third party, or if the attacker “used the access for other purposes (such as targeting high-profile individuals, disrupting customer bookings, or perpetrating other forms of fraud)”, in concluding that “the failures are especially serious” as the “number of affected data subjects and any financial harm to them could have been even more significant”. to the potential gravity of the breach, rather than the actual consequences of the breach, will therefore be factored into the ICO’s assessment.
The data controller is wholly responsible for breaches of Article 5 and 32 of the GDPR.
The fines imposed on BA and Marriott relate to “breaches of Articles 5(1)(f) and 32 GDPR…not the actions of third parties”. Whilst the ICO appreciates that, in both instances, the third party “attacker” engaged in criminal activity, it is specifically noted that this did not alter the obligations on either company to have in place “appropriate [security] measures” that “should have been addressed on a prospective basis”. Moreover, in Marriott’s case, despite security being provided by an experienced third-party provider, the ICO held that “the fact that [the third-party] was charged with implementing, maintaining or managing certain elements of the system does not reduce Marriott’s responsibility for the breaches”. As the relevant data controller, Marriott was not able to reduce its degree of responsibility by engaging a third party.
Pre-emptive testing is key.
The ICO expects data controllers and processors to undergo “rigorous testing” (e.g. vulnerability scanning, security testing, internal credential-based penetration testing) in order to identify any issues pre-emptively. It is evident that the ICO would be more critical of breaches which could have been identified and appropriately addressed on a prospective basis, especially if the measures “could have been made relatively quickly and easily” (as was the case in Marriott) and “would not have entailed excessive cost” (as was the case in both BA and Marriott).
Negligent conduct may be considered among the ‘most severe’ personal data breaches.
While acknowledging that there is an important distinction between an intentional or deliberate act and a data breach that arises through negligence, the ICO has indicated its willingness to treat both, severely. The ICO noted in BA that it “[did] not accept that as a matter of general principle concerns about deterrent effect should be limited to deliberate breaches”. In fact, it specified in Marriott’s penalty notice that it would not be consistent with Article 83 of the GDPR “if fines only applied to deliberate conduct”.