On Monday 8th July the Information Commissioner’s Office issued a notice of its intention to fine British Airways £183.4 million for infringements of the General Data Protection Regulation.
In its statement, the ICO said that proposed fine relates to an incident that BA notified the ICO of in September 2018. The login details, payment information, travel booking details as well as names and addresses of approximately 500,000 customers were comprised. User traffic was diverted to a fraudulent site from which the details were harvested.
Information Commissioner Elizabeth Denham said that failure to protect personal information from theft or loss is more than an inconvenience, and “when you are entrusted with personal data you must look after it. She added, those that don’t will face scrutiny from her office. I noticed that she said ‘scrutiny’ and not ‘a penalty’.
On Tuesday 9th July, the ICO issued a notice of intent to fine Marriott International £99.2 million for a data breach which the ICO was notified of in November 2018. Approximately 339 million guest records were exposed, of which 30 million belonging to residents of the European Economic Area and 7 million residing in the UK.
Marriott International acquired Starwood hotels group in 2016 and it is believed that the Starwood systems had been compromised in 2014. The exposure of customer information was not uncovered until 2018. In this statement Denham stressed the importance of “carrying out proper due diligence when making a corporate acquisition.”
Time for some quick maths. The fine per customer/victim of the British Airways data breach works out to be £366. The fine per British customer/victim breaks down to just £14.14.
This serves as an indication to the consumer as to how highly valued their personal and financial details are in the eyes of enforcement authorities.
In this context, the level of the BA fine seems about right, while the Marriott fine seems to be so insignificant as to be hardly worth the bother.
As for the damage that these fines could do the bottom line, it would be interesting to know how hard a hit those two companies will have to take to their coffers.
I would love to know the reason for the difference. Did the length of the data breach affect the size of the fine? What about the time between the company’s C-suite being made aware of the breach and alerting authorities? What is the process of a fine going from being intended to actual? Is there an appeals procedure through which the companies could reduce the amount they have to pay eventually? Commentators have said that part of the fines could be covered by cyber insurance.
So while the public is likely to welcome this tougher stance that the ICO is portraying, there are still many questions they would probably like to have answers to.