July has been an extremely busy month for the Information Commissioner’s Office (ICO) with the publication of notices of intention to fine two global companies more than £282 million for data protection breaches.
This follows extensive ICO investigations into British Airways (BA) and the Marriot hotel chain. The notice of intention to fine BA £183.39 million for infringements of the General Data Protection Regulation (GDPR) is almost double the £99 million it intends to fine Marriot International.
The BA incident is believed to have begun in June 2018 and in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, the personal data of approximately 500,000 customer details were harvested by the attackers.
The ICO investigation has identified poor security arrangements at BA and a result it has made improvements to its security.
Similarly, Marriot reported a cyber incident to the ICO in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident. Around 30 million records related to residents of the European Economic Area (EEA), of which 7 million related to UK residents.
The ICO’s investigation found that Marriot failed to undertake sufficient due diligence when it bought a hotel group and should also have done more to secure its systems.
Both BA and Marriot are co-operating with the ICO and will have the opportunity to make representations to the ICO as to the proposed findings and sanction. The ICO has been acting as the lead supervisory authority for other EU Member States in these investigations and will make a final decision in due course.
The ICO has issued useful guidance for organisations around data and cyber security. This includes information on the level of security that is required, what technical and organisational measures to consider and how to ensure that your measures are effective. Their guidance can be found here.
As always, if you have a legal query please get in touch with the FSB Legal Helpline on 0345 0727727 and we'll be happy to assist you.