The General Data Protection Regulation (GDPR) substantially increased the amount that data protection authorities (DPAs) are empowered to fine organisations, to €20m or 4% of worldwide annual turnover. The UK Information Commissioner’s Office (ICO) has issued a limited number of fines for data protection breaches in the first 5 years of the UK GDPR. It has substantively revised the majority of the provisional amounts in respect of these fines by up to an average of 77%, in response to the organisations subject to those fines pleading mitigation. In this article, we consider the factors and consequences of such significant reductions.
ICO enforcement powers
The ICO may issue information notices (INs) under section 142, enforcement notices (ENs) under section 149 and monetary penalty notices (MPNs) under section 155 respectively, of the UK Data Protection Act 2018. Organisations have 28 days to appeal to the First-tier Tribunal (General Regulatory Chamber) (Tribunal). The ICO has published its Regulatory Action Policy in order to enable organisations to understand how and when it will use its enforcement powers.
Doorstep Dispensaree Limited
In July 2018, the Medicines and Healthcare Products Regulatory Agency (MHRA) executed a search warrant at the premises of Doorstep Dispensaree Limited (DDL), a supplier of medicines for care homes. The MHRA subsequently notified the ICO that it had discovered unlocked containers of approximately 500,000 documents in a courtyard accessible from residential flats via a fire escape. The MHRA found some documents dated back to January 2016, included personal (for example, names and addresses) and special category (for example, prescriptions) data, were not marked as confidential waste and were partially water damaged; it could not estimate the number of data subjects.
Initial ICO intended fine – £400,000 (June 2019)
ICO reduced fine – £275,000 (December 2019)
Tribunal reduced fine – £92,000 (an approximate reduction of 67%) due to:
- DDL financial hardship
- audit findings that in fact only 66,638 documents containing personal data were recovered
British Airways
Between 22 June and 5 September 2018, an unidentified cyber attacker utilised the compromised credentials of a user within British Airways’ (BA’s) third party supplier to access BA’s network and remain undetected. They were able to access the personal data (including names, addresses, payment card numbers and / or CVV numbers) of approximately 430,000 customers and staff, and copy and redirect customer payment card data to their own website.
Initial ICO intended fine – £183.39m (July 2019)
ICO reduced fine – £20m fine (October 2020) due to:
- the mitigating factors raised by BA
- the impact of the COVID-19 pandemic
Marriot International Inc
During July 2014, an unidentified cyber attacker installed a piece of code known as a “web shell” onto a device within the Starwood Hotels and Resorts Worldwide Inc network to enable remote access as a privileged user. It is estimated that 339m guest records (including 7m in the UK) worldwide were affected. Personal data may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival / departure information, guests’ VIP status and loyalty programme membership numbers. Marriott International Inc (Marriott) acquired Starwood on 31 December 2016 or 1 January 2017, but the attack remained undetected until September 2018.
Initial ICO intended fine – £99.2m (July 2019)
ICO Reduced fine – £18.4m fine, (an approximate reduction of 74%) (October 2020), due to:
- mitigating factors raised by Marriott and
- the impact of the COVID-19 pandemic.
Ticketmaster UK Limited
On 19 February 2018, an unknown cyber attacker injected malicious code into an Inbenta Technologies hosted chatbot. The code extracted copies of any data submitted on Ticketmaster UK Limited’s (Ticketmaster’s) online payment page. The cyberattack potentially affected 9.4 million customers in the European Economic Area (including 1.5m in the UK) between February 2018 and 23 June 2018. The personal data included names, contact details, usernames, passwords, bank details and credit card, debit card and CVV numbers. Barclays Bank advised that approximately 60,000 individual card details were compromised and Monzo Bank that it was necessary to replace approximately 6,000 cards.
Initial ICO fine: £1.5m (Feb 2020)
Reduced ICO fine: £1.25m (November 2020)
Tribunal decision: pending…
In summary, four of the five fines issued by the ICO until and including 2021 have been significantly reduced upon pleading mitigation to the ICO and / or Tribunal. In addition, while some of these reductions specifically mention COVID-19 as a mitigating factor, it will be interesting to monitor how the impact of external factors like COVID continue to impact the fines finally imposed.
Recommendations
In light of the above, organisations should ensure that they:
- raise internal awareness of regulatory fines and the right to claim compensation, in particular to obtain buy-in from senior management for data protection compliance;
- fully establish the details of personal data breaches in order to raise appropriate mitigation with the relevant DPA where necessary;
- take heed of the factors under Article 83(2) of the GDPR and the relevant DPA’s regulatory action or equivalent policy in regard to such breaches; and
- account for the risk of claims for compensation, in addition to regulatory fines, within their insurance cover.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience advising organisations in regard to personal data breaches. For more information please feel free to contact our advisers, who would be more than happy to help.