The news earlier this month regarding the two largest fines announced by the UK’s Information Commissioner, Elizabeth Denham, one imposed on British Airways and one on the hotel giant Marriott, sent shockwaves through the privacy community on the one hand, and were completely predictable on the other. While other supervisory authorities across Europe have been quite active in the year since GDPR’s introduction, such as the French regulator, CNIL, and the Spanish regulator, AEPD, the ICO has been relatively silent. Many experts believed that this was simply the quiet before the storm, and oh were they right! While the announcement stunned many in the UK and in the EU generally, it also caused many outside of the EU to perk up their ears.
So, what can non-EU businesses take away from these two incidents? Let’s begin with the BA fine. As the ICO made clear in its announcement, “This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.”
The key takeaway here is the importance of the implementation of proper and adequate security measures for protecting personal information. GDPR requires anyone who holds personal information to implement “appropriate technical and organizational measures” to protect personal data. What does that mean? Well, good question. GDPR is not too prescriptive when it comes to these requirements because, well, it depends. The first thing it depends on is the type of processing you are carrying out. Are you collecting sensitive medical data about minors? If so, you probably need more stringent security than if you were, say, simply collecting names and business emails. Businesses must give some thought to the type of data they are collecting, how personal and sensitive it is, and reach a decision about what measures are appropriate to take in order to safeguard that data. Finally, these considerations and decisions must be documented. This will be your first line of defense when the regulator come knocking.
The second thing to consider is the consensus among cybersecurity professionals as to what is common practice in the market today. Encryption would be a great example of this. Most cybersecurity pros worldwide would agree that some type of encryption of files which contain personal data is warranted. What type of encryption needs to be deployed? Well, again, that goes back to the first question of how sensitive the data is. Many lawyers and advisers will be able to dictate GDPR articles in their sleep, but when it comes to the “technical and organizational requirements” part – the approach is “the IT guys will deal with that”. It is key, especially if you are dealing with sensitive data, to have cybersecurity professionals working alongside the lawyers and advisers to ensure data is kept safely and securely.
Now let’s turn to Marriott. The Marriott fine involved a US hotel chain, Starwood, which Marriott bought in 2016. It was discovered in 2018 that the chain had serious security vulnerabilities, dating back to 2014, which should have been, but were not, discovered by Marriott in its purchase of the chain. The ICO said “The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” The key takeaway here is due diligence. If you are an investor or corporate looking to acquire or invest in a business, you must carry out serious and robust privacy and security due diligence. And, if you are an overseas company, be aware that the price of non-compliance has just risen tenfold. We are likely to see much more serious privacy and security due diligence in M&A transactions as a result of this fine. Also, we are likely to see privacy reps and warranties become more robust in the context of M&A transactions, and we may even see a rise in insurance premiums in this space.
There is no prohibition in GDPR against having a data breach. GDPR fully recognizes that, even with the best security system the burglars may still get in. The question then becomes – did you do enough to try to prevent them from getting in? Are you able to demonstrate that you were conscious of the risk and took appropriate steps to mitigate it? This is what the regulators are looking for and this is what will save you from a BA- or Marriott-level fine.
It is important to note in conclusion that both BA and Marriott have announced that they will contest the fines. The courts will ultimately decide if they are to blame or not, and I will be sure to bring you an update on that when the decisions are announced. Watch this space.