Marriott and BA: cybersecurity basics emphasised in GDPR enforcement

Out-Law Analysis | 12 Nov 2020 | 6:15 pm | 6 min. read

Comments made by the UK's data protection authority in sanctioning both British Airways (BA) and global hotel chain Marriott International recently highlight the regulatory risks businesses face if they fail to implement cybersecurity guidance in the public domain.

Both BA and Marriott International were fined by the Information Commissioner's Office (ICO) over data security failings which came to light following cyber attacks the companies reported in 2018.

In the monetary penalty notices imposed on each of the companies, the ICO gave a detailed account of the nature of the failings as it saw it. In both cases the ICO referred to extracts from guidance produced by bodies such as the UK's National Cyber Security Centre (NCSC) and the US National Institute of Standards and Technology (NIST) as evidence of good practice on cybersecurity and identified areas where BA and Marriott had failed to implement the recommendations.

The General Data Protection Regulation (GDPR) provides for an assessment of the 'state of the art' by businesses when considering what measures would be appropriate to implement to ensure the security of processing. These decisions of the ICO emphasise the need for organisations to ensure that they are kept updated with all relevant guidance as to appropriate measures to make systems and data secure.

The action taken by the ICO

On 30 October, the ICO announced that it had fined Marriott International £18.4m after it found that the company had breached data protection law in the way it protected customer data. An estimated 339 million hotel guests had their data compromised in a cyber attack that went undetected for approximately four years. The company had announced in November 2018 that it had identified that there had been "unauthorised access" to one of its databases since 2014 following a cyber incident. The database was one that was added to Marriott's IT estate when it acquired the Starwood business in 2016.

The announcement of the Marriott fine followed the £20 million fine the ICO imposed on BA on 16 October over data security failings which enabled unauthorised access to be obtained to personal and payment card information relating to more than 400,000 of its customers. The cyber attack took place in 2018.

The ICO acted as the lead investigating supervisory authority on behalf of data protection authorities across the EU. It is clear from the collective enforcement action in recent months, and in particular since the GDPR took effect, that there is significant focus from European regulators on the measures businesses put in place to protect the security of systems and data. The BA and Marriott cases are a continuation of that theme.

Cybersecurity guidance shapes ICO views

In the monetary penalty notices issued in both cases, the ICO made a point of mapping the data security failings it said the companies were responsible for against cybersecurity guidance that was in the public domain at the time the incidents occurred.

Davey Stuart

Stuart Davey

Senior Associate

While the ICO, like other European data protection authorities, will ultimately assess compliance against the black letter law of data protection law, its action against BA and Marriott highlight the importance the authority places on adherence to cybersecurity guidance in the public domain

In the BA notice, for example, the ICO highlighted that the attacker had gained initial access to BA's network using compromised credentials of a user within a third party supplier who was accessing the BA network remotely. The attacker was then able to "breakout" from the remote access systems into the wider network BA operated.

The ICO referred to a range of guidance in the public domain prior to the GDPR taking effect that it said highlighted the risk of a "supply chain attack" and which set out steps organisations could take to "address the threat of such an attack". Examples cited in this regard included:

  • The Centre for the Protection of National Infrastructure's (CPNI) good practice guide of April 2015, entitled 'Mitigating security risk in the national infrastructure supply chain';
  • Supply chain security guidance issued by the National Cyber Security Centre (NCSC) in January 2018 which supplemented the CPNI guidance;
  • The ICO's own 'GDPR security outcomes' guidance of April 2018;
  • The 'Top Ten Proactive Controls 2016' as listed by the Open Web Application Security Project (OWASP);
  • The US National Institute for Standards and Technology's (NIST's) 2016 guidance entitled 'Back to basics: multi-factor authentication'

In the Marriott case, the ICO focused its scrutiny not on the initial security breach, but on the lack of "appropriate and adequate" security measures Marriott had in place for identifying the breach and for preventing "further unauthorised activity".

The ICO said in particular that there was a "failure to put in place appropriate ongoing monitoring of user activity, particularly activity by privileged accounts". Again the ICO sought to flag these failings in the context of guidance in the public domain. It referred to:

  • The NCSC November 2018 guidance entitled '10 steps to cybersecurity: guidance on how organisations can protect themselves in cyberspace, including the 10 steps to cybersecurity';
  • The NCSC January 2018 guidance entitled 'Introduction to identity and access management'.

The ICO said: "Both examples of NCSC guidance detail the basic need for multiple security techniques, processes and technologies in order to secure systems. Accordingly, Marriott ought to have been aware of the need to have multiple layers of security in place in order to adequately protect personal data."

While Marriott had applied multi-factor authentication controls and had other "additional security measures in place", the company "ought to have had in place better monitoring of user activity to aid in the detection of an attack, as an additional layer of security", the ICO said.

The ICO said Marriott could have gone further too to exercise control over critical systems. It said it "would have been appropriate for Marriott to implement a form of server hardening as a preventative measure", citing in particular the use of 'whitelisting' as a means of limiting user access controls to specific systems or software in a way which corresponds with their role.

The ICO highlighted the fact that this kind of security measure had been recommended in:

  • The NCSC '10 steps to cybersecurity…' guide;
  • The NCSC's 'Cyber Essentials' guidance, published in October 2015;
  • NIST's October 2015 guide to application whitelisting

While the ICO, like other European data protection authorities, will ultimately assess compliance against the black letter law of data protection law, its action against BA and Marriott highlight the importance the authority places on adherence to cybersecurity guidance in the public domain.

In referencing guidance from NIST in the two cases, the ICO is making clear that, in the case of multinational businesses at least, it will expect companies to maintain awareness of prominent guidance developed not just in the UK but in other jurisdictions too.

The Marriott case: other notable insights

In the Marriott case, the ICO also provided some clarity on the question of when a personal data breach is considered to be reportable under the GDPR.

Under the GDPR, organisations must notify relevant data protection authorities of personal data breaches "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.

ICO disagreed with Marriott’s submission that data controllers must be reasonably certain that a personal data breach has occurred before their obligations to report the breach are triggered. Instead, the ICO held that test of whether an incident is reportable is that the "data controller must be able to reasonably conclude that it is likely a personal data breach has occurred".

Kirsop Jonathan_Apr 2020

Jonathan Kirsop

Partner

The ICO also confirmed that cyber attacks need not be successful for it to determine that a business has breached its data security obligations under the GDPR

In addition, the ICO also confirmed that cyber attacks need not be successful for it to determine that a business has breached its data security obligations under the GDPR, rejecting the claim by Marriott that it had relied on the "success" of an attack as evidence of a breach of GDPR in its case.

On this point, the ICO said: "The [information] commissioner does not rely on the 'success' of an attack as evidence that a breach of GDPR definitely occurred. Instead the attackers ability to exploit deficiencies in Marriott’s security measures, for which remedies were available, discloses wider failures to put appropriate measures in place."

In arriving at the penalty, the ICO also applied the same regulatory action policy which had been described in great detail in the British Airways monetary penalty notice it issued. The ICO followed the same systematic approach in the Marriott case to calculate the appropriate fine, including applying a further reduction on the fine it had deemed appropriate to recognise the economic impact of Covid-19.

The ICO also made some interesting observations around data protection due diligence in major transactions. Though the original breach into the relevant systems pre-dated Marriott’s acquisition of the Starwood business in 2016, the ICO made no finding as to the adequacy or otherwise of Marriott’s due diligence into Starwood prior to acquisition. It said: "There may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover." The ICO's decision instead focuses on the steps Marriott took following the entry into force of the GDPR in May 2018 and its failure to adequately prepare the legacy Starwood systems to protect personal data.