The EU imposed record fines this week on British Airways and Marriott, in fact the largest fines under the General Data Protection Regulation (GDPR) which is just over one year old.
The U.K. Information Commissioner’s Office (ICO) proposed a fine of British Airways $230 million for an incident that compromised the data of 500,000 customers.
The ICO proposed a $123 million fine of Marriot for the loss of 339 million customer records, a breach which was first reported in November 2018.
Both companies can respond to the fine proposals before the ICO issues a final decision, and both companies said they will appeal the decision.
The maximum GDPR fine is 4% of a company’s global turnover. The fines for BA and Marriott both represented 1.5% of their turnover.
The ICO said both companies cooperated fully with their respective investigations.
This makes the stakes particularly high for tech companies like Google and Facebook, which are either currently under investigation in the EU, and for whom the legislation essentially was tailor-made. Google could face a fine of up to $5 billion, and Facebook up to $2.2 billion, based on both companies’ annual revenue in 2018.
Marriot’s CEO Arne Sorenson said in a statement, “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
According to reports, the European Data Protection Board questioned how well Marriott had vetted and protected data when it acquired Starwood in a $13.6 billion deal that closed in 2016.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” the ICO board said in a statement.
British Airways parent IAG said it was “surprised and disappointed” by the decision, and said it would “vigorously” defend its stance.
The rulings according to GlobalData should increase the intensity of the light shone on cyber security by large, global enterprises.
Nick Wyatt, Head of R&A, Travel & Tourism at GlobalData, a leading data and analytics company, offers his view:
“In a survey conducted by GlobalData, 37% of respondents stated that their companies were making a ‘major investment’ into cybersecurity technologies now. A further 43% said they would be doing so in the next three years.”
Wyatt said that while 37% is encouraging, the fact that over 40% are still delaying investment despite last year’s large-scale breaches at Marriott and British Airways shows that measures are often “not yet robust enough.”
“The consequences are clearly significant in financial terms, but there is also a somewhat intangible reputational impact,” Wyatt continued. “Consumers’ faith in companies can be shaken, particularly in the travel and tourism industry, where companies have a duty of care to look after highly sensitive personal data such as that contained within passports. These fines must serve as a wake-up call for other companies, many of whom are still highly vulnerable to cyberattacks themselves. These companies need to act now and ensure that they are harnessing the latest technologies to protect their customers’ personal data.”
“Network security continues to be an afterthought for a large percentage of companies,” said Ed Wood, CEO, Dispersive, a network security company based in Atlanta. “This is indicated by the 43% of companies that are looking at the next three years to address their cybersecurity needs. There needs to be a sense of more urgency. With breaches becoming an almost daily occurrence, companies will not only start to pay more fines but they will also see their bottom line affected when consumers switch their allegiances to companies that take the security of their personal information more seriously and take the maximum steps needed to protect it.”
Arti Loftus is an experienced Information Technology specialist with a demonstrated history of working in the research, writing, and editing industry with many published articles under her belt.
Edited by Maurice Nagle