High fines for British Airways and Marriott after data breach

The U.K. Data Protection Authority (ICO) has announced it will impose (record!) fines of over 200 million euros and 110 million euros, respectively, on the airline British Airways and the U.S. hotel chain Marriott following a data breach.

At British Airways, personal data of about 500,000 customers ended up with hackers in the middle of last year. According to ICO it concerns login data, name and address details as well as bank account numbers. Because of the hack, customers were redirected via the website - when booking a flight - to an insecure website. This gave hackers access to the personal data. ICO accuses British Airways of not having taken sufficient measures to secure the personal data of its customers, as a result of which personal data ended up in the wrong hands. British Airways should therefore have (demonstrably) done more to prevent the data breach.

Marriott also suffered a hack. The hackers had penetrated the reservation system. According to ICO, this was not a one-time data breach, but data of over 300 million customers were stolen over a four-year period. The hack was discovered - unfortunately - only last November. It involved name and address information, e-mail addresses, passport numbers and phone numbers.

It follows from the (potential) imposition of these fines that privacy compliance is actually being enforced.

Good security

A data breach involves cases where there is unauthorized or unlawful processing of personal data. This includes the (un)intentional loss, destruction or damage of personal data. Examples include a lost USB stick, a stolen laptop, a break-in by a hacker - as was the case with British Airways and Marriott - or a malware infection.

According to the GDPR, known in the Netherlands as the General Data Protection Regulation (hereinafter: AVG), organizations must take appropriate (organizational and technical) measures to secure personal data. This is how you, as an organization, prevent the occurrence of a data breach. Therefore, think not only about having good technical security (for example (two factor) authentication, pseudonymization/encryption of data, firewalls, backup, logging, etc.) but also about taking organizational measures. Important in that context is, for example, limiting access to personal data (only persons who must have access from their job) and ensuring a proper privacy policy that includes how personal data is handled within the organization, what obligations the organization has and what to do in case of a data breach or other security incident. Also ensure that the privacy policy is adhered to (i.e., monitored).

Avoid (high) fines

The AVG has strict requirements for dealing with data breaches. For example, an organization must document every data breach - including the facts about the data breach, its consequences and the actions taken in response to the data breach. In addition, the data breach notification requirement applies, which requires organizations to report the data breach within 72 hours (after the data breach is discovered) to the national privacy regulator, in the Netherlands the Authority for Personal Data. In some cases, notification must also be made to the data subjects themselves. This is the case if the breach is likely to have adverse consequences for the data subjects.

Whether an organization must report a data breach depends on the (potential) impact of the data breach on the protection of personal data and the privacy of those involved. European privacy regulators have published the Data Breach Notification Obligation Guidelines . These guidelines are intended to help organizations decide whether or not to report a data breach.

Failure to report a data breach, or to report it in a timely manner, violates the AVG. European privacy regulators can impose large fines in that case.

It is therefore important that organizations minimize the risk of a data breach. The security of data, both technical and organizational, within the organization must be a continuous point of attention. Make sure, therefore, that your organization has done everything possible to prevent a data leak and that a clear protocol/procedure has been implemented within your organization that shows how to deal with a data leak.

Would you like to know more about this? If so, please feel free to contact me.