The Information Commissioner’s Office (the “ICO“) Recently issued three high-profile fine notices (“MPNs”) With regard to violations of Article 5 Paragraph 1 Letter f and Article 32 GDPR. The three fines totaling £ 39.65 million underscore the ICO’s determination to ensure that organizations put in place “appropriate technical and organizational measures” and its willingness to take enforcement action against those who do not:
- On October 16, 2020, the ICO imposed its largest ever fine – £ 20 million – on British Airways plc (“BA”) In connection with a data breach in 2018 in which the personal data of approximately 430,000 BA customers was compromised by a hacker who gained access through systems that employees / contractors could work with remotely. A more detailed analysis of the BA MPN can be found here.
- Just two weeks later, Marriott International Inc (“Marriott“) Was fined £ 18.4 million in connection with a cyberattack on Starwood Hotels Resorts Worldwide, Inc (“Starwood”), Which started in 2014 and went undetected until September 2018. This cyber attack resulted in around 339 million customers’ personal data being disclosed. A more detailed analysis of the Marriott MPN can be found here.
- The ICO last issued Ticketmaster UK Limited on November 13, 2020 (“Ticketmaster”) With an MPN fined the ticket sales and distribution company £ 1.25m for violations related to a cyberattack that occurred in the first half of 2018 that compromised the personal data of up to 9.4 million customers . A more detailed analysis of the Ticketmaster MPN can be found here.
The main lesson from this triumvirate of decisions is that: (1) there is well-developed case law outlining the steps that the ICO believes is necessary for the processing of data processors who hold significant amounts of personal data, particularly payment-related data, have to process, it is necessary to have taken “suitable technical and organizational measures” to secure the personal data processed by you; and (2) failure to take such action has significant financial consequences in the event of a significant data breach (in Ticketmaster’s case, this has resulted in a fine of approximately 1% of its worldwide sales for the relevant period).
Our detailed analysis of these decisions also shows:
- The trend of cuts between the fines proposed by the ICO in a letter of intent (“WE”) And the final number in the MPN (in the case of BA, for example, there was an 89% reduction);
- The useful guidance in the Marriott MPN on how organizations should determine whether to notify appropriate regulators for the purposes of Article 33 GDPR;
- The importance of robustly challenging the results in a NOI, an approach that has always borne fruit (either turning off or shifting the focus of ICO results);
- Regarding the BA and Ticketmaster MPNs, the fact that the violations are due to issues related to third parties involved in their supply chains and the ICO’s inability to accept arguments that this fact is the responsibility of BA and Ticketmaster as a data controller has circumvented in any way; and perhaps most importantly;
- The possibility that the fines imposed by the ICO will be dwarfed by liabilities arising from civil claims related to the violations.