This last week saw significant compliance and enforcement activity with respect to both GDPR and the FTC. Specifically, we saw two significant GDPR fines handed down by the UK Information Commissioner’s Office (ICO) against British Airways (approx. $230 million) and Marriott International (approx. $130 million). In addition, Facebook settled with the FTC for the largest privacy-related penalty ever at $5 billion. Discussed in more detail below, these developments provide some valuable insight into the landscape of data privacy governance and compliance.
On July 9, 2019, the ICO issued a notice of its intention to fine Marriott International £99,200,396 for violating the EU’s General Data Protection Regulations (GDPR). The fine relates to an incident that Marriott brought to the ICO’s attention in November 2018. Specifically, a variety of personal data containing approximately 339 million guest records were exposed by the incident. Approximately 30 million records were thought to relate to residents of 31 countries in the European Economic Area (EEA), with 7 million related to UK residents. It is believed the vulnerability began with systems of the Starwood hotel group that were compromised in 2014. Marriott acquired Starwood in 2016, but the exposure was not discovered until 2018.
The ICO found that Marriott failed to undertake sufficient due diligence when it bought Starwood. It also found that Marriott should have done more to secure its systems, specifically “putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” according to Information Commissioner Elizabeth Denham.
The ICO further stated that Marriott has cooperated with the ICO investigation and made improvements to its security arrangements since discovery of the events in question. As allowed under the GDPR’s “one stop shop” provisions, the ICO has been investigating the case as lead supervisory authority on behalf of other EU Member State data protection authorities, who will have an opportunity, along with Marriott, to comment on the ICO’s findings. The ICO states it will carefully consider the representations of both the company as well as other data protection authorities before making a final decision.
In a statement filed the same day with the U.S. Securities Commission announcing the ICO’s proposed fine, Marriott stated that it “intends to respond and vigorously defend its position.” Marriott CEO, Arne Sorenson, stated that, “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.” Marriott also stated that the Starwood database that was attacked is no longer used for business operations.
Similarly, the day before (July 8, 2019), the ICO issued notice of its intent to fine British Airways £183.39 million for GDPR infringements. British Airways notified the ICO of the incident in September 2018, which involved user traffic to the British Airways website being diverted to a fraudulent site. The attackers harvested customer details through this fraudulent site, compromising approximately 500,000 customers. The ICO found that the company had poor security arrangements which compromised a variety of data, including log in, payment card, and travel booking details as well name and address information.
In her statement, Commissioner Denham stated that “[w]hen an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO noted that British Airways cooperated with the investigation and has since made improvements to its security arrangements. As with Marriott, the ICO was investigating the case on behalf of other EU Member State data protection authorities as the “lead supervisory authority”. Both British Airways and those data protection authorities will be given an opportunity to comment on the ICO’s findings, which it will consider carefully before making a final decision.
In its announcement to the London Stock Exchange regarding the ICO’s proposed sanctions, British Airways chairman and chief executive Alex Cruz stated: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.” Willie Walsh, International Airlines Group chief executive, also stated that it intends “to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
The FTC also voted this past week to approve a record settlement with Facebook over the company’s 2018 Cambridge Analytica scandal. The settlement of $5 billion represents the largest fine ever approved by the FTC against a technology company – over 200 times larger than the previous largest fine.
The settlement was adopted along party lines – with the three Republicans supporting it and two Democrats against it, and signals the end of a wide-ranging probe into Facebook’s mishandling of personal information that began more than a year ago. From here, the Department of Justice must approve and finalize the FTC settlement, which it typically does.
The two Democrat votes against the settlement suggest some desire for stronger accountability in terms of executive accountability as well as internal processes, and concerns that even such a large fine may not be sufficient to incentivize change. Despite the record fine, critics have assailed the FTC for approving a fine that is small (approximately 9%) in comparison to Facebook’s massive profits, calling the agency’s efforts a “slap on the wrist.” The real test of the agency’s work should depend on the final terms and conditions of the settlement agreement, which have not yet been disclosed. Facebook’s stock closed nearly 2% higher after the news broke. In April, Facebook had warned Wall Street that it could face a fine as high as $5 billion, and had set aside a $3 billion charge during its first quarter earnings report when it announced it earned $15 billion in quarterly revenue.
Under the FTC’s new settlement, Facebook could have to document every decision it makes about data before offering new products, closely monitor third-party applications that collect users’ information, and require Facebook CEO Mark Zuckerberg and other top executives to attest that the company has adequate privacy protections. Facebook had agreed to broad versions of these terms as part of the confidential settlement talks with the FTC, according to the Washington Post. These provisions are broader than the 2011 settlement agreement, which had required Facebook to give users greater notification about what happens to their data and how their information is used. It also required Facebook to submit to 20 years of regular privacy checkups from outside watchdogs, even though those reviewers had not flagged any major mishaps at the company.
As more frequent and significant fines continue to emanate from both Europe and the U.S., heightened responsibilities for companies and their management translate to larger budgets for privacy programs and data governance, which require systems and technologies to be managed at scale. It is becoming increasingly apparent that GDPR compliance is real (and not just for the tech industry, as the Marriott and British Airways proposed sanctions make clear), and that the California Consumer Privacy Act (CCPA) compliance is around the corner. (Often compared to GDPR, the law becomes effective Jan. 1, 2020.). Although some criticize the significant FTC fine as a “slap on the wrist”, such fines could be crippling to companies with less revenue, and the non-monetary terms of the settlement, once revealed, could forecast more about what to expect in terms of the new standards of “reasonableness”. Other states, such as Nevada and New York, are also passing more stringent laws. Data privacy as an enterprise-wide risk management issue is clearly here to stay, and will require a cross-functional collaboration across multiple departments and business units. Compliance and best practices, both abroad and at home, should be a top priority for companies of all industries.