GDPR’s first major data breach fines: 3 takeaways

Just as some critics were beginning to doubt GDPR’s effectiveness after having been in force for over a year, the UK Information Commissioner’s Office (ICO) has announced intent to levy major fines against two global enterprises — British Airways and Marriott — for violations of the EU’s data privacy regulation.

Unlike the first six-figure GDPR fine, which involved a Portuguese hospital’s failure to restrict access to patient records, both of these $100-million-plus penalties involve failure to protect personal information against data breaches. On July 8, the ICO announced an intent to fine British Airways £183.4 million ($230 million) due to a website security failure that compromised more than 500,000 customer records. The following day, the commission stated it intends to fine Marriott International £99 million ($123 million) over an exposure of 339 million guest records due to a vulnerability dating back to the company’s acquisition of Starwood Hotels.

(Note: At this time, both fines have only been proposed. Both organizations will have the opportunity to respond to the allegations before penalties are levied.)

As these cautionary tales continue to unfold, we can identify several takeaways that can inform and instruct businesses seeking to avoid similar penalties with regard to data privacy in an increasingly complex regulatory environment.

1. Vet and monitor third-party applications

While British Airways has not released details on the September 2018 breach, several security experts agree that the theft was made possible by malware planted onto the airline’s payment page via the Modernizr JavaScript library, third-party code used to detect HTML5 and CSS3 features in various browsers. The hackers were able to modify the Modernizr code to capture the data users submitted via payment forms and divert it to their own server located in Romania.

Whether British Airways was aware of Modernizr’s vulnerability or not when the airline first began using the JS library, they bear full responsibility for the violation and for the pursuant penalties. This incident, similar to the Ticketmaster breach in June 2018, highlights the importance of properly vetting and monitoring any third-party applications involved in the gathering and processing of personal data.

2. Incorporate data privacy into M&A due diligence

In November 2018 Marriott notified the ICO of a cyberattack on the guest reservation database of Starwood Hotels, which Marriott had acquired in 2016, involving 339 million customer records. In the investigation that followed, the vulnerability that the hackers exploited was traced back to a pre-merger attack on Starwood in 2014. According to the press release announcing the GDPR fine, “[t]he ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

As we’ve explored in previous Insights, data privacy has become an essential part of the M&A due diligence process, as acquirers seek to avoid the same type of troubles Marriott is experiencing. In the ICO statement, Information Commissioner Elizabeth Denham emphasized that acquirers are responsible for “putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

3. More fines are coming (and, under CCPA, so are lawsuits)

With two record-setting GDPR fines being announced in the course of two days, we may be seeing the tip of an enormous iceberg as supervisory authorities refine their processes for enforcing the regulation. Since enforcement began in May 2018, fines have been levied against organizations of all sizes, from small local companies to global enterprises, across all industries, and more investigations are underway:

• The UK ICO reports that it is looking at 12 further “significant cases” involving data breaches, including a 2018 hack of a telecom retailer involving 10 million customer records.
• Ireland’s Data Protection Commissioner reports that there are currently 51 “large scale” data breach investigations underway, the first of which will conclude over the summer of 2019.

For businesses who may have postponed GDPR readiness because they doubted authorities’ ability to effectively enforce the regulation — or because they believed they would fly under regulators’ radar — this would be a good time to reconsider that position.

Another factor to consider is the California Consumer Privacy Act (CCPA), which goes into effect in January 2020, and the private right of action it grants to consumers affected by data breaches. Under CCPA, any consumer whose non-encrypted personal data is subject to unauthorized access as a result of insufficient security measures may institute a civil action for damages ranging from $100 to $750 per consumer per incident. This may not sound like much, but in cases where impacted records number in the thousands and millions, it can add up quickly.

Even one year after the GDPR’s effective date, a degree of uncertainty persists with regard to what day-to-day enforcement of the regulation will look like. What we do know for certain, as the BA and Marriott cases affirm, is that regulators are serious about enforcing it, that major fines are a real risk for companies who fail to comply, and that prudent organizations would be wise to follow the lessons learned from those whose compliance failures are now costing them.

General Manager of Data Privacy Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, Information Management, the American Bar Association, and other national and international organizations.

Executive Team member Kevin Moos is recognized for his experience with knowledge management systems. He has lent his expertise to several prestigious industry panels on enterprise content management and other topics.