GDPR fines: British Airways and Marriott

5 minutes reading time

This week we have seen the first show of muscle by the Information Commissioner as she has confirmed her intention to issue substantial and significant fines to both British Airways and Marriott International for their individual infringements of the General Data Protection Regulation (GDPR).

British Airways is to be fined an eye watering £183.39 million.  It is the first fine to be issued by the ICO under the new regime and its largest to date. It amounts to 1.5% of British Airways’ £11.6 billion worldwide turnover for last year.   As the maximum penalty which can be imposed under the new regime is 4% of a business’s global annual turnover, some may feel BA should count its blessings.   The ICO has confirmed that the incident is “believed to have begun in June 2018” but the ICO wasn’t notified until September 2018, although BA has cooperated with the ICO in its investigation.

The fine relates to a personal data breach which occurred due to poor security systems.  Around 500,000 users of the British Airways website were diverted to a fraudulent website which compromised their personal data. The data compromised included customers’ login details, booking details, their names, addresses and payment card details.

The ICO’s proposed fine for Marriott is £99.2 million and relates to a personal data breach arising from a cyber-theft incident which exposed the personal data (including credit card details and passport numbers) of approximately 339 million guests. The ICO’s investigation confirmed that Marriott failed to carry out sufficient due diligence when it acquired the Starwood hotel group, whose systems were compromised in 2014 (prior the acquisition by Marriott Hotels in 2016).  It then took a further 2 years for the breach to be identified and reported. The ICO’s view is that Marriott should have done more to make sure that it's IT systems were secure. Both British Airways and Marriott now have the chance to make representations to the ICO before a final decision is made.

However, Carla Murray comments “These levels of fines are something we have been warning businesses of in the lead up to and following the implementation of the new regime.  We have been waiting for this first show of power and it comes as no surprise that the ICO has somewhat made an example of BA and Marriott.  Businesses cannot simply pay lip service to the new regime, having policies in place is not enough, they need to be implemented, monitored and updated.  The Marriott breach also highlights that all businesses that have been on the acquisition trail recently need to take stock of the IT systems they have acquired or inherited as part of their corporate acquisitions and check for vulnerabilities.  It would be foolish to simply sit back and wait for a breach to occur especially where the cost is so high.”

If you wish to discuss any GDPR, or data protection related issues, or would like any further advice on IT assets and acquisitions, please contact our specialist Corporate/ Commercial lawyers