The ICO announces landmark intended fines under GDPR for data breaches

By Patricia Jones on July 11, 2019

The Information
Commissioner’s Office (ICO) has recently demonstrated that it will take a hard
line on data breaches announcing on 8 and 9 July 2019 that it intends to fine British
Airways £183.39 million and Marriot
International £99.2 million.

Both fines relate to cyber
incidents. In the British Airways incident the personal and financial details, including
contact and payment card details, of approximately 500,000 customers were
harvested. The ICO’s subsequent investigation found that information was
compromised by poor security arrangements.

In the Marriot incident a variety
of personal data, including email addresses, phone numbers, dates of birth and
passport numbers, from approximately 339 million guest records globally were
exposed. Whilst Marriott notified the breach to the ICO in November 2018, it is
thought the vulnerability began in 2014 when the systems of the Starwood hotels
group were compromised. The ICO found that Marriott failed to undertake
sufficient due diligence when it bought Starwood in 2016 and should have done
more to secure its systems.

Fines for a GDPR breach can
be up €20 million or 4 per cent of annual global turnover, whichever is higher.
The intended fines are two of the largest ever levied by the ICO amounting to 1.5
per cent of British Airway’s turnover and 2.4 per cent of Marriott
International’s turnover reflecting the ICO’s view of the gravity of the
breaches. Interestingly had Marriott International discovered and disclosed the
data breach prior to 25 May 2018, it would have been fined under the previous
Data Protection Act, which had an upper fine limit of £500,000.

British Airways and Marriott
International now have the opportunity to make representations to the ICO
regarding their intended fine before the ICO makes its final decision. However,
these intended fines serve as a reminder that GDPR compliance is not optional
and is underpinned by strong enforcement powers which the ICO is willing to
exercise.

Should you wish to
discuss data breaches or GDPR compliance generally please contact Amy Chandler
or Patricia Jones.

The post The ICO announces landmark intended fines under GDPR for data breaches appeared first on Pannone Corporate.