GDPR, information security and the importance of carrying out "proper due diligence"
ICO issues statements of intention to fine British Airways and Marriott.
In July 2019, the UK Information Commissioner's Office (ICO) issued statements of intention to fine Marriott more than £99 million and British Airways £183 million for breach of data protection law. The size of the fines has led to extensive media coverage and has potentially had a deterring effect on companies across the EU. However, the statements from the ICO only provides some guidance as to the cause and justification.
British Airways experienced a cyber-incident in autumn 2018, where user traffic to their website was directed to fraudulent sites, leading to the compromise of personal data, including the credit information of 500 000 costumers. The company notified ICO about the breach and their cooperation throughout the investigation could be one factor contributing to the fine being set to around 1,5% of the company's total worldwide annual turnover, instead of the maximum 4%. See GDPR art. 84(4).
Marriott notified the ICO about information security issues in November 2018, however, the vulnerability began in 2014 in Starwood Hotel's systems, before Marriott acquired the company in 2016. The breach led to the exposure of 339 million guest records globally, 30 million of those relating to residents of 31 EEA countries. Even though the vulnerability occurred in Starwood's systems before the acquisition, the ICO has concluded that Marriott can be held responsible. The Norwegian Data Protection Authority (In Nw.: Datatilsynet) has stated that the case also include Norwegian customers, which means they will be involved as one of the authorities concerned and have the opportunity to give their opinion on the case.
Information Commissioner Denham states that companies' responsibilities under GDPR include "carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected".
Denham's statement is of importance to any acquiring company as it emphasizes how data protection due diligence can be an important part of an acquisition process and how data protection law increases the acquiring companies' responsibilities. Based on this case, carrying out a "proper due diligence" entails, in our opinion, both a legal due diligence and also a technical due diligence to ensure that the acquired data is sufficiently protected. A clearly defined scope at the outset, taking into account the nature of the target business and the likely risks it will face from a data protection perspective, will be essential in the due diligence exercise. Purchasers should seek contractual protection and further ensure that all "post-completion" resolutions are actioned and completed as soon as possible following completion of the transaction.
The ICO has yet to elaborate on the facts and legal basis in both cases, but clarification is expected in the monetary penalty notice, which will include both the final fine and more information. Marriott and British Airways can also appeal against both the notice and the quantum of the fines to the Informational Tribunal.
In Norway we have not yet witnessed any fines issued by the Norwegian Data Protection Authority which in size reach the level of the Marriott- and British Airways-cases. Still we have seen that the most recent fines issued by the Norwegian Data Protection Authority are significantly higher than those issued under the previous legislation. As an example, the Norwegian Data Protection Authority in April this year imposed an administrative fine of 1.6 million Norwegian kroner, or the equivalent of 170.000 €, on the Municipality of Bergen. The incident related to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. - The security in the login system has been so poor, that unauthorized persons could get access to usernames and passwords in the learning platform and in the school’s administrative systems, says director Bjørn Erik Thon.
What these cases have in common is that they all relate to the lack of appropriate measures to protect the personal data in the computer file systems. The GDPR stipulates that both controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Based on the first wave of cases from the data protection authorities around Europe, which also includes other cases than those mentioned herein, it appears that many businesses still have a job to do when it comes to information security. To avoid major consequences for your company’s reputation and possibly also the economic situation, we strongly recommend all companies to work to ensure proper data protection related to all systems. The case related to Marriot represents an additional aspect, as it seems to include a more specific expectation on businesses when it comes to carrying out a proper data protection due diligence process upon acquisitions.