Two record fines issued by ICO for lack of cybersecurity in violation of GDPR.
Our Lexing France correspondent tells you what you need to know about these decisions.
These British record fines should make all companies aware of the importance of properly protecting their data.
Lessons learned from these decisions: how to benefit from mitigating factors, how to reduce fines in the event of a security breach, and how EU supervisory authorities work together in the event of cross-border processing.
1. Two record-breaking fines for serious data breaches
In October 2020, the Information Commissioner’s Office (ICO) fined the airline British Airways (1) and the hotel chain Marriott International Inc. (2) for not sufficiently protecting their customers’ data in violation of their security obligation under the General Data Protection Regulations (GDPR).
The two record fines — £20 million (approximately €22 million) for British Airways and £18.4 million (approximately €20 million) for Marriott — imposed by the ICO are a reminder of the key role of the GDPR in cybersecurity.
Issued a few days apart, these decisions involve two cases with some similarities.
2. Two cyber attacks that led to data breaches
Even if both companies have the financial means and highly qualified personnel to ensure a high level of security, they were each hit by a cyber attack from one mor more hackers still not identified to date. The attackers managed to exploit flaws in their systems:
- –For British Airways, it all began in 2018 with a supply chain attack (3): a hacker gained access to the airline’s IT systems through the unsecured employee account of one of its suppliers. By taking advantage of other vulnerabilities, the hacker redirected the payment data entered by customers on the official British Airways website to another website controlled by the hacker (a technique known as “web skimming”) (4) The hacker stole information such as the name, address, but above all the banking data (card and CVV numbers) of 429,612 British Airways customers.
- –For Marriott, the attack affected its subsidiary Starwood (5) as early as 2014. Using a piece of malicious code called “web shell” (6) and various techniques (remote access trojans and Mimikatz (7)), the attacker managed to connect to unsecured user accounts. The attacker was then able to penetrate Starwood’s guest reservation database and export elements such as names, dates of birth, email addresses and, most importantly, passport and credit card numbers. Nearly 339 million guest records were affected.
In the ICO’s view, it is clear that in both cases, appropriate available and mature security solutions, such as the multi-factor authentication (8) of the compromised accounts, would have made it possible to prevent, detect and/or mitigate the impact of the attacks without entailing excessive cost (9).
3. Identification of infringements
In both cases, following an investigation, the ICO found a serious breach of the security obligations under two articles of the GDPR, namely Article 5(1)(f) (integrity and confidentiality) and Article 32 (security of processing), which require data controllers to “implement appropriate technical and organisational measures” to protect the personal data they process “including … against unauthorised or unlawful processing” (10).
Brushing aside the arguments raised by the two companies, according to which Article 5 would simply be a summary of Article 32, the ICO confirmed on the contrary that these two articles are evidently distinct provisions of the GDPR, notwithstanding the degree of overlap.
The issue was important because each Article apply a different fine tier (11). According to Article 83(3) of the GDPR and the EDPB Guidelines, where several different infringements of the GDPR are committed together in any particular single case, the authority may apply a fine that correspond to the category of the gravest infringement (provided that the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement) (12). Both companies were therefore likely to be subject to the highest fine tier under the GDPR, i.e. 4% of their turnover. In 2017, British Airways had revenues of £12.226 billion and Marriott of $4.997 billion.
4. Elements taken into account to calculate the fines
In assessing the amount to be imposed, the ICO applied the criteria set out in Article 83(2) of the GDPR. It found it appropriate to impose a penalty (13) in particular in view of the following:
- –the nature of the compromised data: even if there were no special categories of personal data, the compromised data allow the opportunity of identity theft;
- –the significant duration of the infringements;
- –the number of data subjects affected.
Moreover, for the ICO, even of the infringements were not an intentional or deliberate act on the part of the companies, British Airways and Marriott were both negligent (14) in maintaining IT systems which suffered from significant vulnerabilities and shortcomings.
The ICO pointed out that companies of the size and profile of British Airways and Marriott were expected to be aware that they were likely to be targeted by attackers. They should have taken appropriate steps to secure the large volumes of personal data processed as part of their business (15). Both companies, as data controllers, were considered “wholly responsible” (16) for the breaches. The engagement of a third-party IT security service provider cannot reduce the controller’s degree of responsibility (17).
At this stage, the starting amounts of the fine set by the ICO are respectively £30 million for British Airways and £28 million for Marriott (18).
5. Elements taken into account to reduce the fines
The ICO pointed out the “multiple” and “serious” failures of both companies in the management of their cybersecurity. However, the fines are less severe than expected not only because of mitigating factors, but also because of the economic impact of the current public health crisis.
5.1 Mitigating factors
The ICO recognised several mitigating factors (19) to the two hacked companies such as:
- –the immediate measures taken to mitigate the damage suffered by the data subjects (such as disabling comprised accounts, resetting passwords);
- –the prompt information of the data subjects affected and the authorities, as well as the widespread reporting in the media of the attack. This is likely to have increased the awareness of other data controllers of the risks posed by cyber attacks and of the need to ensure that they take all appropriate cybersecurity measures;
- –their full cooperation with the authorities during the investigation;
- –their significant IT security budget and the fact that expenditure on IT security will not be reduced as a result of the impact of Covid-19;
- –the creation of a bespoke incident website in numerous languages and a dedicated call centre to inform the data subjects affected by the incident and receive their requests;
- –the reimbursement of the direct financial losses incurred by the data subjects affected;
- –the adverse effect of the cyber attacks on the companies’ brand and reputation, which will have had some dissuasive effect on other data controllers;
- –the absence of financial benefits gained or losses avoided as a result of the infringement.
These mitigating factors allowed both companies to benefit from a 20% reduction in the amount of the proposed fine.
5.2 The Covid effect
Before issuing a fine, the ICO takes into account its economic impact on the offender and the economy in general. In accordance with the ICO Coronavirus Guidelines, and in the light of the current public health emergency and associated economic consequences, it was found appropriate to reduce the fine.
Each of the two companies was granted a reduction of £4 million.
5.3 Fines lower than expected
In the end, these record fines are less severe than initially expected, far from the £183 and £99 million initially announced (20). They are also far from the theoretical maximum amount incurred, which is EUR20,000,000 or 4% of the turnover.
Both companies would have indicated that they did not wish to appeal the ICO’s decisions, without, however, admitting any liability for breach of the GDPR.
Commenting on the decision of its British counterpart, France’s data protect authority, the CNIL, considered that these record fines were “proportionate to the gravity of the infringements identified”.
While these record fines imposed by the ICO are the largest imposed in terms of security, the highest fine under the GDPR remains to date the one imposed by the CNIL against Google (50 million euros) in January 2019. Penalties against H&M by the German authority (35 million euros) and against the telecom operator TIM by the Italian authority (27 million euros) respectively rank second and third in the biggest GDPR fines.
Note that the current ICO penalty procedure (21), on the basis of which these two decisions were taken, is currently being modified. According to the document submitted to public consultation, the future procedure will comprise 9 steps (currently 5) and will specify, in a detailed table, the amount of the fines as a percentage of turnover (22).
6. Cross-border processing requiring cooperation of the EU supervisory authorities
In both of these cases, the data breaches had a cross-border dimension, as the data subjects affected were located not only in the United Kingdom, but also in several European countries.
In order to harmonize the decisions of data protection authorities concerning cross-border processing (23) at the European level, the GDPR has set up:
- –a “one-stop-shop” mechanism (Art. 56) which is intended to avoid cumbersome and time-consuming procedures for the companies concerned (24)
- –a cooperation mechanism (Art. 60) between the lead supervisory authority and the other supervisory authorities concerned.
In application of these mechanisms:
- -there is a single contact point for controllers: this is the lead authority. The lead authority is the supervisory authority of the country in which the company’s main establishment is located. In this case, the ICO for the United Kingdom (25).
- -there is a single decision valid throughout the EU: the lead authority’s decision is taken in consultation with all the supervisory authorities concerned. The ICO therefore investigated on behalf of all the EU authorities (the infringement occurred before the UK left the EU) and its proposed record fines were approved by the other EU authorities. In particular, they were carefully reviewed by the sanctions committee of the CNIL.
The ICO decisions show that the one-stop shop mechanism can lead to major decisions on processing carried out on a European scale.
7. Cybersecurity and GDPR: key takeaways and best practices
The ICO stressed it repeatedly throughout its decisions: a data controller must apply, on an ongoing basis, all appropriate measures to ensure the security of the data being processed. Security flaws may lead to very heavy penalties not only under the GDPR, but also in the context of lawsuits (26) brought by the data subjects affected (27).
The fact that the other EU supervisory authorities have approved the UK’s ICO decisions (breaches identified and fine amounts) invites all EU data controllers to draw lessons from them.
In particular you should:
- –ensure proper management of your information assets by implementing appropriate security measures and ensuring that these measures are documented;
- –know how to respond to a cyber attack or security breach (28) in order to be able to benefit from mitigating factors that will serve to reduce, sometimes substantially, the amount of the fine that may be imposed;
- -protect against cyber risk by adapting your insurance policies to cover these new IT risks.
(1) ICO Penalty Notice, British Airways plc, case ref: COM0783542, 16 October 2020.
(2) ICO Penalty Notice, Marriott International Inc, case ref: COM0804337, 30 October 2020
(3) More than 80% of organisations have experienced a data breach due to security vulnerabilities in their supply chain. “Cybersécurité : votre chaine d’approvisionnement est désormais votre maillon faible”, www.zdnet.fr, 29-9-2020
(4) Web skimming (also known as “Magecart”) is a type of fraud where a merchant’s payment system is accessed using malware in order to steal payment information.
(5) The Starwood systems were first compromised in 2014, i.e. prior to its acquisition by Marriott in 2016. For the ICO, Marriott has not been vigilant enough. Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/]
(6) A web shell is a piece of malicious code that that attackers implant on web servers to provide remote access and code execution to server functions allows hackers to access servers remotely.
(7) Mimikatz is a tool used to steal credentials.
(8) The authentication of a user is qualified as strong or multifactor when it calls for a combination of at least two authentication factors. See Cnil Guide “Security of Personal Data”, 2018 edition, p.7.
(9) ICO decision British Airways points 6.29, 6.72 and 6.96; ICO decision Marriott, points 6.38 and 6.59.
(10) ICO decision British Airways points 1.6 and 6.1; ICO decision Marriott points 1.6 and 6.1.
(11) For infringements of Article 5(1)(f): fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(4)(a)), and for infringements of Article 32: fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5)(a)).
(12) ICO decision British Airways points 7.54 and 7.81; ICO decision Marriott, point 7.83.
(13) ICO decision British Airways section 7, p.60 et seq., ICO decision Marriott, section 7, p. 50 et seq.
(14) ICO decision British Airways point 7.19; ICO decision Marriott point 7.16
(15) ICO decision British Airways point 7.20; ICO decision Marriott point 7.17
(16) ICO decision British Airways, point 7.28; ICO decision Marriott 7.26.
(17) ICO decision Marriott, points 7.27 and 7.28.
(18) ICO decision British Airways, point 7.36; ICO decision Marriott point 7.36.
(19) ICO decision British Airways point 7.41 et seq; ICO decision Marriott point 7.41 et seq.
(20) The ICO decisions do not contain explanations on how the amounts of the fines initially announced (£183 million and £99 million) were calculated.
(21) Described in its Regulatory Action Policy (RAP) p.27 and explained for instance in ICO decision Marriott point 2.38.
(22) One of the main arguments of the two companies was that in its draft decisions, the ICO had relied on an internal document (Draft internal procedure for setting and issuing monetary penalty) which contained a table with turnover bands. The companies objected to the application of that document and the ICO indicated in its final decisions that it did not take this internal document into account. This “Draft internal procedure” may be close to its future penalty procedure, which was recently submitted to public consultation.
(23) According to Article 4(23) of the GDPR, “cross-border processing” means either (a) processing of personal data where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the EU but which substantially affects data subjects in more than one Member State.
(24) Companies established outside the European Union are not eligible for the one-stop-shop mechanism, even if their data processing concerns persons living in several Member States.
(25) British Airways is a subsidiary of International Airlines Group, which is registered in Spain but has its operational headquarters in the United Kingdom (ICO decision British Airways point 1.3). Marriott is an international hotel chain, with operational headquarters in the USA; Marriott Hotels Limited, Marriott’s main establishment within the EU, is in the United Kingdom (ICO decision Marriott point 1.3).
(26) Class-action lawsuits have been filed against Marriott and British Airways. “European Consumer Groups Begin Suing Over Data Breaches”, The Wall Street Journal, 6-11-2020.
(27) Neither company admitted liability for breach of the GDPR before the ICO (ICO decision British Airways and ICO decision Marriott, points 1.6), even if they both would have indicated that they did not wish to appeal the ICO’s decisions.
(28 See in particular France’s article “How to respond to a cyber attack or security breach?“, p.12, Lexing Insights, No. 26, October 2020.