You may have read about the UK Information Commissioner's Office (ICO) proposal to fine British Airways £183.39M (AU$320M) for infringements of the European General Data Protection Regulation (GDPR).
The ICO has also recently announced its intention to fine Marriott International £99,200,396 (AU$178M) for similar data breaches. Each case involved a sophisticated cyberattack which exposed large volumes of customer information over an extended period.
ICO investigated each of these cases as lead supervisory authority on behalf of other EU Member State data protection authorities. Under the GDPR ‘one stop shop’ provisions, the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
Failure to secure information
The conduct for which British Airways and Marriott are being fined is a failure to implement appropriate security arrangements for the personal data they each held.
The British Airways incident in part involved the diversion of user traffic from the British Airways website to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which lasted for some months in 2018.
The Marriott incident is believed to have started when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. According to the ICO, this breach involved approximately 339 million guest records globally, of which around 30 million related to residents of 31 countries in the European Economic Area, the area regulated by the GDPR.
Failure of due diligence
The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems. According to the ICO:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."
How will this affect Australian organisations?
Australian organisations which do business in the EEA, and collect personal information of individuals located there, are likely to be subject to the GDPR with respect to that information.
It is not necessary for an Australian company to have a permanent presence in the EEA or to have representatives there in order to be caught. For instance, companies which supply products and services online and which target customers in the EEA are likely to be subject to the regulation.
A warning for all organisations that hold data
What the decisions indicate is that the European privacy regulators are prepared to come down hard on breaches of the GDPR which have wide impact and that inadvertence is no defence. Companies are expected to implement satisfactory security controls to prevent the types of incidents which affected British Airways and Marriott.
In relation to Marriott, this is a warning to all companies which are acquiring other businesses. Due diligence must include a thorough review of the target's IT systems and any evidence of past cyber incidents which have resulted in personal data being compromised.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.