Three ICO Enforcement actions in a month – What do the Ticketmaster, Marriott and British Airways penalties tell us about cyber resilience and data breach?
It has been a busy few weeks for the Information Commissioner, with the ICO most recently publishing a Penalty Notice for GDPR breaches under the Data Protection Act 2018 (DPA) against Ticketmaster, which it has fined £1.25m.
The Information Commissioner's action against Ticketmaster, announced on 13 November, comes hot on the heels of the fines imposed by the ICO on British Airways (16 October) and Marriott International (30 October).
Now we have a total of 278 pages of GDPR penalty notices from the ICO (leaving aside its first GDPR fine of £275,000 against a pharmacy which left personal data unsecured in its back yard), what does this tell us about what is expected of data controllers and processors before and during a cyber incident, and what to expect should an enforcement action ensue?
Set out below are our key takeaways across Ticketmaster, Marriott and British Airways (see our Talking Tech articles for more detailed analyses of the BA and Marriott penalty notices). We note that the enforcement path to the Ticketmaster fine was somewhat different to those for BA and Marriott. In particular, the ICO published statements of intention to fine BA and Marriott back in July 2019 (which were then subjected to intense media scrutiny), but did not do so for Ticketmaster (to whom it issued a Notice of Intent to fine in February 2020). In the case of Ticketmaster, the timeline was as follows:
- A customer support chatbot embedded in Ticketmaster's online payments page was compromised, which resulted, between February 2018 and June 2018, in a personal data breach. During the relevant period for the purposes of the penalty (25 May to 23 June 2018, being the period during which the GDPR was in force) 9.4 million EEA data subjects were notified as having been potentially affected.
- In June 2018, the ICO published a response to the Ticketmaster cyber incident stating that it would be making enquiries.
- In February 2020, the Commissioner issued Ticketmaster with a Notice of Intent to impose a proposed penalty of £1.5 million.
- On 13 November 2020, the Commissioner fined Ticketmaster £1.25 million. The Commissioner found that a penalty of £1.5 million would be appropriate but reduced the penalty by £250,000 in light of the impact Covid-19 has had on Ticketmaster's financial position.
Key takeaways…
…BEFORE a cyber incident:
- Cyber security must be prioritised and companies must keep pace with emerging industry expectations. In BA, the ICO stressed that "it is for the controller to consider what measures are appropriate for securing its system". In Marriott, significant emphasis was given by the ICO to adherence to industry standards, which the ICO considered as relevant evidence of "the state of the art" (in the context of Article 32 GDPR). It is clear from this that data controllers should be aware of, and implement all, such relevant industry standards. This may pay off in the event of an enforcement action - the ICO reduced the penalty against Marriott in part due to Marriott's continued and increasing investment in information security.
- Consider all potential sources of security failures, including third parties. In Marriott, the ICO identified four avoidable major security failures which enabled the attack (namely the insufficient monitoring of privileged accounts, insufficient monitoring of databases, failure to implement sufficient controls on critical systems (such as sever hardening) and lack of encryption. In Ticketmaster, the ICO indicated that risk assessments should be carried out against all aspects of a company's payment environment, even those they do not directly operate or control. The ICO expects data controllers to carefully monitor their contractual arrangements with third parties, perform regular risk assessments and put in place appropriate contractual provisions, especially when customer payment data is potentially implicated.
- Controllers of personal data will be responsible for data breaches even where they have retained third party providers. Marriott argued that the fact that it had engaged Accenture to assist in the security management of the Starwood network should be taken into consideration when assessing its responsibility for the incident. The Ticketmaster incident resulted from malicious code being inserted into the JavaScript of a customer support chatbot developed and maintained by a third party – and the cyber incident was perpetrated against that third party, not Ticketmaster. Ultimately, the ICO found that this did not reduce their responsibility for the breaches of the GDPR.
- Consider data due diligence during and following an acquisition. In Marriott, the ICO acknowledged that there may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover – but appears to be seeking to set a clear expectation that, where drains-up due diligence of data security is not possible pre-acquisition (our observation being that this is, at present, the usual position) such issues must be properly considered following an acquisition to ensure ongoing compliance.
…DURING a cyber incident:
- Any technical response must be swift and decisive. Within 90 minutes of being informed that data was being extracted, BA had adapted the malicious code and contained the vulnerability and, 20 minutes later, blocked the URL paths. BA's prompt action was referenced by the ICO when calculating the fine.
- Get the incident response team working to the right scope. The ICO criticised Ticketmaster's initial instructions to its incident response team, indicating that the instructions were too narrow both in terms of subject matter and geographic scope. It also noted that not all relevant information was provided to that team, and the scope and depth of the investigations conducted by the team were limited accordingly.
- Timely communication with the regulator is key. In Marriott, the ICO gave some indication that firms which have suffered a cyber incident may be afforded time to determine whether personal data was compromised prior to notifying the ICO. However, the ICO rejected the submission that the GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying - the ICO clarified that a data controller "must be able reasonably to conclude that it is likely a personal data breach has occurred to trigger the notification requirement".
- Prompt communication with data subjects can help mitigate enforcement exposure. BA notified the ICO, acquirer banks and payment schemes and 496,636 customers the day after the incident, and a further 39,840 customers the day after that. The ICO also accepted both Marriott and Ticketmaster's submissions that the actions it took to notify data subjects were sufficient to satisfy its obligations under Article 33 GDPR.
- Focus on support of affected data subjects is critical. BA put in place dedicated support for affected data subjects and considered how their loss and distress might be mitigated; it offered to reimburse financial losses resulting from the attack, and made available a free credit monitoring service. The ICO expressly identified this as a mitigating factor. The ICO also acknowledged that both Marriott and Ticketmaster had established dedicated websites for affected data subjects.
…AFTER a data breach:
- Cooperation with the ICO may take some time, but the potential financial benefits of engagement can be significant. All three enforcement subjects provided multiple submissions to the ICO. While the reduction from intended fines for BA (£163m) and Marriott (£80m) were much larger than the £250,000 reduction for Ticketmaster in monetary terms, this still represented over a 16% reduction for Ticketmaster. While any decisions about the level of engagement should carefully consider the risks of a prolonged process, this shows the potential financial benefits of cooperating fully.
- Representations on the timeline and context are key. The ICO noted that Ticketmaster reported the incident to the ICO in July 2018 despite third parties having raised a potential personal data breach as early as February 2018 – but notwithstanding this seemingly long period of delay, the ICO accepted Ticketmaster's representations on this issue and decided not to find that Ticketmaster breached Article 33.
- Turnover is a key focus for fines, but is not the only quantification metric. The ICO has stressed that turnover remains "a core quantification metric"– amongst other relevant factors (and BA focused on those other factors in its representations – including the impact of coronavirus). In both the BA and Marriott penalty notices, the ICO confirmed that it had not relied on a draft internal procedure that emphasised the role of turnover in the fine calculation process. The Ticketmaster penalty notice does not reference any reliance on the draft internal procedure, but does take note of Ticketmaster's 2018 revenue figures. How the ICO proposes to assess apply its calculation of turnover is relevant to its recently closed public consultation on its draft statutory guidance on taking regulatory action.
- Seek non-admission of liability. Notably, BA did not admit liability for GDPR breach, with a key factor likely to have been the ongoing civil litigation it is facing from data breach victims. This underscores the need for a company's enforcement and civil claims defence strategy to be managed in parallel.