British Airways and Marriott International hotel chain face huge fines under new GDPR data breach rules
British Airways and Marriott International hotels are facing a total of £282m in fines as the data watchdog signalled its intention to crack down on companies which fail to protect people’s information from cyber attacks.
In a dramatic two days, the airline was hit by a £183m fine on Monday after ‘poor security’ enabled hackers to steal the personal details of 500,000 passengers last year. In a separate incident US hotel chain Marriott was today asked to pay £99m after it was revealed last year that 339 million guests had been affected by a breach that went unreported for four years.
The fines were issued by data watchdog The Information Commissioner’s Officer under the punitive new General Data Protection Regulation (GDPR), which came into force on May 25; according to the regime, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover. The maximum under the Data Protection Act 1998 was £500,000.
The ICO also released its annual report today and in the section where it lists British Airways and Marriott being part of ‘ongoing investigations’, it also mentions Cathay Pacific, which exposed personal data of 9.4m passengers in a breach last year. An ICO spokesperson confirmed that the Hong Kong airline is also being investigated under GDPR.
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
The watchdog stressed that both British Airways and Marriott had co-operated with the ICO investigation and has made improvements to security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.
The ICO has been investigating the cases as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators.
Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings. The ICO said it will ‘consider carefully’ representations made by the companies and any other ‘concerned data protection authorities’ before it takes its final decision.
Not a drop wasted: digital cask filling can save the whisky industry millions
Scotland’s food and drink sector is central to the country’s economy. Bringing in around £14 billion every year, it employs more than 115,000 people and accounts for one in five manufacturing…
The value of engineering in the curriculum
If you were to look back at the greatest discoveries in science and technology over the past 30 years, you would soon notice that engineering is a key catalyst for…
Glasgow Council leads the way in digital learning
In 2017, we at Glasgow City Council took the opportunity to overhaul our digital approach to education and redefine learning, keeping in mind the core aim of reducing the impact…
Why data is the new oil
In 2006, British mathematician Clive Humby coined the phrase, “Data is the new oil”. This analogy has been proven correct as data now powers entire industries and holds tremendous value…
Global Entrepreneurship Week offers chance to reset aspirations amid new innovation landscape
With the advent of Global Entrepreneurship Week, it is an opportunity for us to celebrate the innovators, the grassroots risk takers who drive the economy, and those who invest in…
Aberdeenshire leads the way in work-based learning
There has long been debate about the distinction to be drawn between vocational and academic learning. However, in Aberdeenshire Council the focus is on what is best for our learners;…
5G connectivity can ’empower people to restore our planet’
Six years on from the Paris Climate Accords and the world is still getting warmer. We are now seeing first-hand the impact of climate change – the floods and fires…
Cracking the code to offline computational thinking
In our digitally connected world, it can be argued that coding and especially computational thinking have become essential parts of a new ‘computing literacy’ to support traditional literacy. These computational…