British Airways and Marriott still dealing with the Proposed Record ICO Fines

The July 2019 announcements of the United Kingdom Information Commission Officer’s (ICO) intention to impose record-breaking GDPR fines on British Airways and Marriott sent a clear message to companies still indecisive about their privacy and data security compliance. The ICO still has not imposed the fines, and the final penalties may change after further review. These impending fines are expensive and time consuming for corporations struggling during a pandemic. Auditing and preparing to respond to legal inquires, and preparatory expenses from outside legal counsel, can amount to millions of dollars. This does not include auditing software, teams, and internal audits. Uncovering risks in real-time with privacy risk monitoring software can reduce possible fines from privacy regulations.

The €183 million ($230 million) proposed fine against British Airways related to the 2018 data breach resulted from what the ICO investigation found to be “poor security arrangements.” The incident involved the diversion of British Airways website traffic by malware to a fraudulent website that collected personal detail on approximately 500,000 customers beginning in June 2018. It took the British Airways 3 months to notify the ICO of the cyber security incident, exceeding 72-hour breach discovery guidelines required by Article 33. The compromised information included names, addresses, log in details, payment cards, and other travel booking details.

The €99 million ($123 million) proposed fine against Marriott stemmed from the November 2018 disclosure that personal data contained in approximately 339 million guest records globally were exposed as a result of a breach into the Starwood hotels system in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until two years later. The investigation by the ICO revealed that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems upon acquisition.

Marriott International has appealed against the fine via submissions to the regulator. The company and the ICO have agreed to extend the regulatory process until September 30, after which the regulator will make a final decision. The delays of British Airways and Marriott’s hefty fines may stem from the fear of the cases being dismantled as overreach.

To date, the highest GDPR fine is €50 million ($58.8 million) imposed by the French Data Protection Authority against Google. The suits against British Airways and Marriott International would serve as a wake-up call to companies about the penalties they may face for not prioritizing cybersecurity and risk monitoring.

 Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653