Out-Law Analysis | 12 Nov 2020 | 6:15 pm | 6 min. read
Both BA and Marriott International were fined by the Information Commissioner's Office (ICO) over data security failings which came to light following cyber attacks the companies reported in 2018.
In the monetary penalty notices imposed on each of the companies, the ICO gave a detailed account of the nature of the failings as it saw it. In both cases the ICO referred to extracts from guidance produced by bodies such as the UK's National Cyber Security Centre (NCSC) and the US National Institute of Standards and Technology (NIST) as evidence of good practice on cybersecurity and identified areas where BA and Marriott had failed to implement the recommendations.
The General Data Protection Regulation (GDPR) provides for an assessment of the 'state of the art' by businesses when considering what measures would be appropriate to implement to ensure the security of processing. These decisions of the ICO emphasise the need for organisations to ensure that they are kept updated with all relevant guidance as to appropriate measures to make systems and data secure.
On 30 October, the ICO announced that it had fined Marriott International £18.4m after it found that the company had breached data protection law in the way it protected customer data. An estimated 339 million hotel guests had their data compromised in a cyber attack that went undetected for approximately four years. The company had announced in November 2018 that it had identified that there had been "unauthorised access" to one of its databases since 2014 following a cyber incident. The database was one that was added to Marriott's IT estate when it acquired the Starwood business in 2016.
The announcement of the Marriott fine followed the £20 million fine the ICO imposed on BA on 16 October over data security failings which enabled unauthorised access to be obtained to personal and payment card information relating to more than 400,000 of its customers. The cyber attack took place in 2018.
The ICO acted as the lead investigating supervisory authority on behalf of data protection authorities across the EU. It is clear from the collective enforcement action in recent months, and in particular since the GDPR took effect, that there is significant focus from European regulators on the measures businesses put in place to protect the security of systems and data. The BA and Marriott cases are a continuation of that theme.
In the monetary penalty notices issued in both cases, the ICO made a point of mapping the data security failings it said the companies were responsible for against cybersecurity guidance that was in the public domain at the time the incidents occurred.
While the ICO, like other European data protection authorities, will ultimately assess compliance against the black letter law of data protection law, its action against BA and Marriott highlight the importance the authority places on adherence to cybersecurity guidance in the public domain
In the BA notice, for example, the ICO highlighted that the attacker had gained initial access to BA's network using compromised credentials of a user within a third party supplier who was accessing the BA network remotely. The attacker was then able to "breakout" from the remote access systems into the wider network BA operated.
The ICO referred to a range of guidance in the public domain prior to the GDPR taking effect that it said highlighted the risk of a "supply chain attack" and which set out steps organisations could take to "address the threat of such an attack". Examples cited in this regard included:
In the Marriott case, the ICO focused its scrutiny not on the initial security breach, but on the lack of "appropriate and adequate" security measures Marriott had in place for identifying the breach and for preventing "further unauthorised activity".
The ICO said in particular that there was a "failure to put in place appropriate ongoing monitoring of user activity, particularly activity by privileged accounts". Again the ICO sought to flag these failings in the context of guidance in the public domain. It referred to:
The ICO said: "Both examples of NCSC guidance detail the basic need for multiple security techniques, processes and technologies in order to secure systems. Accordingly, Marriott ought to have been aware of the need to have multiple layers of security in place in order to adequately protect personal data."
While Marriott had applied multi-factor authentication controls and had other "additional security measures in place", the company "ought to have had in place better monitoring of user activity to aid in the detection of an attack, as an additional layer of security", the ICO said.
The ICO said Marriott could have gone further too to exercise control over critical systems. It said it "would have been appropriate for Marriott to implement a form of server hardening as a preventative measure", citing in particular the use of 'whitelisting' as a means of limiting user access controls to specific systems or software in a way which corresponds with their role.
The ICO highlighted the fact that this kind of security measure had been recommended in:
While the ICO, like other European data protection authorities, will ultimately assess compliance against the black letter law of data protection law, its action against BA and Marriott highlight the importance the authority places on adherence to cybersecurity guidance in the public domain.
In referencing guidance from NIST in the two cases, the ICO is making clear that, in the case of multinational businesses at least, it will expect companies to maintain awareness of prominent guidance developed not just in the UK but in other jurisdictions too.
In the Marriott case, the ICO also provided some clarity on the question of when a personal data breach is considered to be reportable under the GDPR.
Under the GDPR, organisations must notify relevant data protection authorities of personal data breaches "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
ICO disagreed with Marriott’s submission that data controllers must be reasonably certain that a personal data breach has occurred before their obligations to report the breach are triggered. Instead, the ICO held that test of whether an incident is reportable is that the "data controller must be able to reasonably conclude that it is likely a personal data breach has occurred".
The ICO also confirmed that cyber attacks need not be successful for it to determine that a business has breached its data security obligations under the GDPR
In addition, the ICO also confirmed that cyber attacks need not be successful for it to determine that a business has breached its data security obligations under the GDPR, rejecting the claim by Marriott that it had relied on the "success" of an attack as evidence of a breach of GDPR in its case.
On this point, the ICO said: "The [information] commissioner does not rely on the 'success' of an attack as evidence that a breach of GDPR definitely occurred. Instead the attackers ability to exploit deficiencies in Marriott’s security measures, for which remedies were available, discloses wider failures to put appropriate measures in place."
In arriving at the penalty, the ICO also applied the same regulatory action policy which had been described in great detail in the British Airways monetary penalty notice it issued. The ICO followed the same systematic approach in the Marriott case to calculate the appropriate fine, including applying a further reduction on the fine it had deemed appropriate to recognise the economic impact of Covid-19.
The ICO also made some interesting observations around data protection due diligence in major transactions. Though the original breach into the relevant systems pre-dated Marriott’s acquisition of the Starwood business in 2016, the ICO made no finding as to the adequacy or otherwise of Marriott’s due diligence into Starwood prior to acquisition. It said: "There may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover." The ICO's decision instead focuses on the steps Marriott took following the entry into force of the GDPR in May 2018 and its failure to adequately prepare the legacy Starwood systems to protect personal data.
19 Oct 2020
12 Oct 2020