ICO Again Delays Fines Against British Airways and Marriott
The announcements in July of 2019 of the UK’s Information Commission Officer’s (ICO) intention to impose record-breaking GDPR fines on British Airways and Marriott were supposed to send a clear message to companies still vacillating about their privacy and data security compliance. However, as of April 2020, the ICO has not imposed the fines on the companies and will apparently extend its regulatory review period into the summer of 2020.
The $230 million proposed fine against British Airways related to the 2018 data breach resulting from what the ICO investigation found to be “poor security arrangements.” The incident involved the diversion of British Airways website traffic by malware to a fraudulent website that collected personal detail on approximately 500,000 customers beginning in June 2018. The compromised information included names, addresses, log in details, payment cards, and other travel booking details. British Airways notified the ICO of the cyber incident in September 2018.
The $123 million proposed fine against Marriott stemmed from the November 2018 disclosure that personal data contained in approximately 339 million guest records globally were exposed as a result of a breach into the Starwood hotels system in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until two years later. The investigation by the ICO revealed that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
The ICO would typically have six months from giving notice of its intent to fine an organization to issuing an actual penalty. During that time, the organization and the data protection authorities from the other GDPR jurisdictions have an opportunity to weigh in on the proposed fine.
British Airways and Marriott have already received an initial extension of the six-month period back in January. According a recent report, an ICO spokesperson confirmed that its “regulatory process is ongoing” in both cases. The British Airway’s review period has now apparently been extended to mid-May, while Marriott’s deferral will be to June 1, 2020. The organizations would have an opportunity to appeal any penalties if and when they are imposed by the ICO.
The delay in the imposition of the record fines, however, does not mean that the authorities will not pursue companies that fail to comply with the privacy regulations. According to DLA Piper’s GDPR Data Breach Survey, as of January 2020 data, data protection regulators have imposed $126 million in fines under the GDPR regime for a wide range of infringements, not just for data breaches.
Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653