Record fines levied by UK data protection authority under the GDPR
The UK’s data protection authority, the Information Commissioner’s Office (ICO), has levied a record £183.39 million fine against British Airways. Believed to have commenced in June 2018, users of British Airway’s website were redirected to a fraudulent website, where personal identifiable information (PII) was then collected by fraudsters. The incident was publicly disclosed on 6 September 2018; the PII of approximately 500,000 individuals was affected, with names, email addresses, credit card information and travel booking details compromised. The ICO reported that the airline cooperated with its investigation and made improvements to its cyber security. Nonetheless, the ICO issued the fine citing the company’s “poor security arrangements” as a cause of the privacy breach. Representing 1.5% of British Airway’s global turnover for 2017, the £183 million fine is the largest issued to date by the ICO, and the highest fine ever issued under the General Data Protection Regulation (GDPR). British Airway’s parent company, International Consolidated Airlines Group, has indicated its intent to challenge the fine.
On 9 July 2019, the day after the British Airways fine was announced, the ICO announced its intention to fine Marriott International £99,200,396 under the GDPR stemming from a data breach involving the hotel chain’s Starwood Customer loyalty program website. The Starwood breach compromised the PII contained in approximately 339 million customer records; approximately 30 million of those involved records of EU residents, with 7 million customers thought to reside in the UK. The ICO stated that the Marriott failed to conduct proper due diligence and should have done more to secure its network systems during the acquisition of Starwood in 2016. Marriott has publicly indicated that it has cooperated with the ICO’s investigation and that it intends to contest the ICO’s findings.
The GDPR is the European Union’s updated data privacy legislative regime, which came into force on 25 May 2018. The GDPR has extra-jurisdictional effect and applies to Canadian companies that obtain personal information of EU residents in connection with “the offering of goods or services” (irrespective of whether payment is required), or “monitoring” an individual’s behavior within the EU. Fines for non-compliance with the GDPR can reach exorbitant amounts, up to the greater of:
- €10 million or 2% of an organization’s global annual turnover for contraventions related to technical measures, such as breach notifications or impact assessments; or
- €20 million or 4% of an organization’s global annual turnover for non-compliance with key provisions of the GDPR, such as transfers of personal data outside the EU to countries or organizations that do not ensure an “adequate level of protection”.
While robust internal compliance and cyber security measures are the primary mechanisms to prevent and mitigate potential GDPR violations, insurance can play a valuable risk transfer role. A cyber liability insurance policy can provide beneficial first-party coverage for crisis management costs incurred when investigating and mitigating a breach, including IT forensics, legal costs, public relations expenses, notification costs and credit and identity theft monitoring, if required. Third party costs, such as settlement and judgment amounts, could also be covered should the insured face third-party claims resulting from a privacy breach. A cyber policy could also respond to cover legal defense costs in the event of a claim or lawsuit, which would also include contesting a GDPR fine or penalty. There is currently no clear guidance regarding the insurability of GDPR fines and penalties stemming from a cyber breach–insurability will be subject to the local laws of the member state in which the relevant EU data protection authority levies the fine. The broadest cyber insurance policy wording may provide insureds with the opportunity to argue that GDPR fines are insurable by including affirmative coverage for civil or non-criminal fines and penalties.