Your company future depends on your Data Protection Responsibilities

In July 2019 the glitzes of company ownership were shattered by 2 declarations from the Information Commissioner’s Office in the U.K. The judgements have sent a cataclysmic shudder in the boards of many companies.

The rulings demonstrate Europe’s ‘privacy regulators’ are not afraid to activate their might and employ their authority to tariff hefty financial penalties in order to make companies comply with the European Union’s ‘General Data Protection Regulations’ [GDPR]. The Information’s Commissioners Office [ICO] has proclamation of its intention to levy large fines against British Airways (airline) and Marriott International, Inc (Timeshare developer). These recent ruling vitrines the incredible power of financial penalties that can be issued under this law.

The British Airways penalty is based upon 1.5 per cent of the airline’s 2017 world-wide turnover, the largest ever proposed, to date. The fine eclipses $818,597 levied against Facebook and the $73,523,063 fine levied against Google LLC by France’s National Data Protection

On the 8th of July the ICO issued a notice of its intention to fine British Airways $300,245,081 for infringement of the GDPR stemming from a serious cyber-incident that had occurred in June 2018 reported to the ICO on September 6, 2018.

Ultimately the security and personal information of over 500,000 travellers were compromised.

One day later, on the 9th of  July, the ICO struck again, announcing that it planned to fine Marriott Resorts a staggering $162,410,333 for GDPR infringements relating to a cyber-incident that was reported to the ICO by Marriott in November 2018, but dates back to July 2014 and involves the systems of another company acquired by Marriott; Starwood Hotels & Resorts Worldwide, LLC.

Marriott purchased Starwood Hotels in September 2016 but had kept Starwood’s reservation databases separate from its own until December 2018. At the time of the merger, Starwood had 21 million members in its loyalty programs and given the nature of its business had collected considerable personal information relating to its customers.

On September 8, 2018, Marriott received an alert from an internal security tool that there had been an attempt to access its Starwood guest reservation database. Following consultations with security experts, Marriott ultimately learned that hackers, using remote access trojan malware, had gained unauthorized access to and could surveil the Starwood network and had being doing so since at least 2014.

The details of this data breach are truly staggering, involving 383 million guest records, 18.5 million encrypted passport numbers, 9.1 million encrypted payment card numbers, 385,000 valid card numbers in addition to 5.25 million unencrypted passport numbers.

Additional information became available in November 2018, following further investigation by Marriott but the company acknowledged that data thieves were able to access some combination of people’s names, mailing addresses, phone numbers, email addresses, gender, passport numbers, Starwood loyalty program account information, dates of birth, gender, arrival and departure information, reservation dates and communication preferences.

 Anyone who made a reservation at a Starwood property on or before September 10, 2018, was potentially affected, including such Starwood brands as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, and other hotel and timeshare properties.

The ICO noted that of millions of guest records that were exposed by the incident, approximately 30 million records related to residents of 31 countries in the European Economic Area, with seven million relating to U.K. residents.

Like the British Airways case, other EU data protection authorities whose residents have been affected will also have the chance to comment on the ICO’s findings. Marriott has the right to appeal and make representations to the ICO regarding the regulators’ findings and sanctions.

Regardless of whether the ICO ultimately reduces the proposed fines that will ultimately be payable there is no question that breaching the GDPR risks the imposition of significant financial penalties.

For example, organizations in breach of GDPR can be fined up to 4 per cent of annual global turnover or $29,429,392 (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements of the GDPR (e.g. not having sufficient customer consent to process data or violating the core of privacy by design concepts).

In addition to legal obligations, “controllers” are responsible for, and must be able to demonstrate compliance with, the above obligation (“accountability”).

So, what are the (interim) lessons to be learned from the ICO’s recent announcements?

Most obviously, that EU regulators are not afraid to assert their considerable authority against organizations that they determine are subject to GDPR compliance requirements, (including those that are not EU-based entities), if there has been significant evidence of non-compliance.

Additionally, and as demonstrated by the Marriott case, neither the ignorance of a purchaser nor its failure to exercise all necessary due diligence (and engage in required post-closing clean up) will act as an excuse or a shield against GDPR non-compliance, even if the actual security/data breach occurred against a then-unrelated company prior to the acquisition.

As UK Information Commissioner Elizabeth Denham (former Information and Privacy Commissioner for British Columbia) commented vis-a-vis the Marriott fine, “organizations are accountable for the personal data they hold, including carrying out proposed due diligence when making a corporate acquisition and putting in place proper accountability measure to assess not only what personal data has been acquired but how it is protected.”