In recent weeks, the Information Commissioner’s Office (ICO) announced its first potential fines under the General Data Protection Regulation enforcement regime. To recap, the ICO can impose a fine for a data breach of up to €20m or 4% of an organisation’s annual worldwide turnover for the preceding financial year, whichever is higher.
Turbulence ahead for British Airways
- BA failed to implement appropriate security measures to protect its customers’ personal data. The cyber security incident involved user traffic to the BA website being referred to a fraudulent site, where around 50,000 customers’ details were gathered by hackers. This included personal data such as names and addresses, login details, payment details and travel booking details.
- The ICO proposes to impose a fine on BA of £183.39 million for this cyber security incident.
No holiday for Marriot
- Marriot failed to undertake sufficient due diligence when it acquired Starwood Hotels, and failed to secure its systems to protect its customers’ personal data. The incident involved the guest reservation database of Starwood Hotels being compromised, which exposed millions of hotel guests’ personal data, including payment details, names and addresses, and passport numbers.
- One day after the ICO announced BA’s fine, the ICO proposed to fine Marriot £99.2 million for this cyber security incident.
It is vital to ensure that appropriate security measures are in place. You should therefore review your information security policies and measures, and undertake an analysis of the risks presented by processing personal data and assess the level of security you need to put in place. As a starting point, you should consider the following:
- How many staff members do you have and what access do they have to personal data? How do you keep IT equipment, particularly mobile devices, secure?
- If personal data is accidentally lost, altered or destroyed, can you recover it? How do you dispose of paper and electronic waste?
- Is access to your premises or equipment given to anyone outside your organisation e.g. for computer maintenance?
- How do you control access to your premises, and how are visitors supervised? Do you have protection at your premises, such as alarms, security lighting or CCTV?
If you require any further information, please contact our Commercial team on 0113 849 4000.