British Airways and Marriott received the largest-ever fines under the EU's new General Data Protection Regulation this past week.
The U.K. Information Commissioner's Office (ICO) fined British Airways a proposed $230 million for an incident that took place from June to September 2018 and compromised the data of 500,000 customers. The ICO gave Marriott a $123 million proposed penalty for the loss of 339 million guest records, reported in November 2018. Both companies have the opportunity to respond to the fine before the ICO issues a final decision, and both companies already indicated they will appeal the decision.
But the GDPR fines were important for reasons well beyond numbers. The GDPR is a very broad rule with little detail, and companies have had few insights into how regulators in the EU would interpret the law, particularly what they would consider "adequate" security measures.
The maximum GDPR fine is 4% of a company's global turnover. The fines for BA and Marriott both represented 1.5% of their respective turnover, and the commission said both companies cooperated fully with their respective investigations.
This makes the stakes particularly high for tech companies like Google and Facebook, which are either currently under investigation in the EU, and for whom the legislation essentially was tailor-made. Google could face a fine of up to $5 billion, and Facebook up to $2.2 billion, based on both companies' annual revenue in 2018.
Earlier this year, the ICO indicated it would investigate Google over leaking of customer data from its advertising platform. Google has already faced scrutiny and fines under the GDPR from France's regulator, with a $57 million penalty levied in January for "lack of transparency" and valid consent controls for users, among other issues.
Facebook has also received modest penalties for the Cambridge Analytica scandal, in which users weren't given proper notice that a survey was being used for political research and advertising. The company incurred a modest fine of $644,000 for that incident, but is currently under investigation for a breach of usernames and passwords on its Facebook and Instagram platforms that could be far more costly.
The decisions included punitive language that has been uncommon in the privacy enforcement arena, particularly in the U.S., where companies are traditionally treated as victims of cybercrime first, rather than perpetrators of data loss.
This standpoint was reflected in a statement, filed with the Securities and Exchange Commission by Marriott CEO Arne Sorenson:
"We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database."
In fact, the European Data Protection Board questioned how well Marriott had vetted and protected data when it acquired Starwood in a $13.6 billion deal that closed in 2016.
"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," the board said.
The commission said less about its fine of British Airways, but the relatively short-term breach and relatively small number of affected customers show the commission may build past data security issues into its equation as well. British Airways parent IAG said it was "surprised and disappointed" by the decision, and said it would "vigorously" defend its stance.
While it's still to early to know what will happen after the companies contest the fine, companies are focusing closely on the early wording of the rulings by the commission, said Paul Ferrillo, partner in the cybersecurity practice at law firm Greenberg Traurig.
"The proposed fine against Marriott should serve as notice to other companies both under investigation now, and investigated down the road, that the fines and penalties provision of the GDPR is the real deal," he said. "We are no doubt on notice of more fines and penalties to come by the EU regulators."
The ICO has also shown it will focus on companies it sees has having been "lax in their responsibilities," not just every corporation large and small that has a data breach, said Chet Wisniewski, principal research scientist at U.K.-based cybersecurity company Sophos.
"If this happened for years and you didn't remedy the system, and you had lots of chances, that's where the ICO might punish more," he said. "Marriott in particular will draw everyone to the M&A aspect of this, and how companies should ask [businesses they are about to acquire] 'what kind of private information do you have on our customers, what procedures and security measures do you have in place?'"
The rulings should give companies a reason, once again, to evaluate whether their security measures are enough to withstand the ICO's scrutiny, Ferrillo said. They should also "reassess the amount and sufficiency of their cybersecurity insurance coverage," to be certain a hefty GDPR fine is covered, he said.