British Airways and Marriott International hotel chain face huge fines under new GDPR data breach rules
British Airways and Marriott International hotels are facing a total of £282m in fines as the data watchdog signalled its intention to crack down on companies which fail to protect people’s information from cyber attacks.
In a dramatic two days, the airline was hit by a £183m fine on Monday after ‘poor security’ enabled hackers to steal the personal details of 500,000 passengers last year. In a separate incident US hotel chain Marriott was today asked to pay £99m after it was revealed last year that 339 million guests had been affected by a breach that went unreported for four years.
The fines were issued by data watchdog The Information Commissioner’s Officer under the punitive new General Data Protection Regulation (GDPR), which came into force on May 25; according to the regime, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover. The maximum under the Data Protection Act 1998 was £500,000.
The ICO also released its annual report today and in the section where it lists British Airways and Marriott being part of ‘ongoing investigations’, it also mentions Cathay Pacific, which exposed personal data of 9.4m passengers in a breach last year. An ICO spokesperson confirmed that the Hong Kong airline is also being investigated under GDPR.
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
The watchdog stressed that both British Airways and Marriott had co-operated with the ICO investigation and has made improvements to security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.
The ICO has been investigating the cases as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators.
Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings. The ICO said it will ‘consider carefully’ representations made by the companies and any other ‘concerned data protection authorities’ before it takes its final decision.
Please mind the gap… or healthcare may fall
Imagine sharing a lengthy train journey with others. From beginning to end, imagine how often you might hear ‘mind the gap’ messages about embarking and disembarking safely. Picture how navigating…
Women Lead: My journey from Dragons’ Den to Silicon Valley
Following her appearance on Dragons’ Den, Sheila Hogan, serial entrepreneur, founder and chief executive of digital legacy vault, Biscuit Tin, shares her experience of her time in the Den and…
Look anywhere – the future is ‘aged tech’. But Scotland needs to be more adventurous
Scottish Care, as the representative body of independent social care providers of care home, care at home and housing support services, has been working over several years with colleagues in…
Women Lead: Engineer turned entrepreneur
We are always fascinated by other people’s stories. It’s how we connect, grow and learn from each other. Until very recently I always felt like I didn’t have a story to tell. Who…
‘Women – together we will change the dynamic in tech’
I was inspired to start a career in technology when personal computers were in their infancy and the internet decades away. My childhood dream of becoming a scientist was shaped by…
It’s time to change the future of tech apprenticeships – and we need your help
In his latest exclusive column for Futurescot, Ross Tuffee, chair of the Skills Development Scotland (SDS) Digital Economy Skills Group, calls on tech employers to get involved in shaping the…
What AI difference a year makes
Amazingly, it’s been one year since the publication of Scotland’s AI Strategy. And what a year it has been. Demanding but rewarding, with good progress made and great foundations laid…
International Women’s Day: It’s time to harness power of women in technology
As we celebrate International Women’s Day, I hope to be part of a future where barriers that prevent women from competing on a level playing field in the work environment…