Data protection gets serious

July 12 2019 by Nick Ferguson

Any risk managers in doubt about the significance of the EU’s new data protection rules got a rude awakening this week with the news that British Airways faces a record £184 million (US$230 million) fine after the theft of data from 500,000 customers.

The proposed fine relates to a cyber incident that started in June 2018 and was disclosed in September, after hackers diverted BA website visitors to a fraudulent site and harvested customer details. An investigation by the UK’s information commissioner’s office (ICO) found that “poor security arrangements” at the company led to the exposure of log in, payment card and travel booking details, as well name and address information.

“People’s personal data is just that — personal,” said Elizabeth Denham, the UK’s information commissioner. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear — when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office.”

The fine represents around 1.5% of BA’s annual turnover, and while it may look significant — the previous record fine for a data breach was US$55 million paid by Google — the General Data Protection Regulation (GDPR) allows for much bigger penalties.

“We are still far from the maximum, which could potentially reach 4% of global annual turnover,” said Timothee Grange, loss adjuster and Asia Pacific managing director for GM Consultant. “This type of fine’s size could act as a wake-up call and hopefully raise concern and awareness for companies with GDPR exposure everywhere in the world.”

Indeed, just one day after announcing the BA fine, the ICO revealed its intention to fine Marriott International £99 million for a breach that lasted from 2014 to 2018 and exposed the personal data of 339 million guests worldwide. This penalty may raise even more worrying issues for risk managers in Asia than the BA fine, as it is being imposed on a non-EU company for a breach that mostly affected non-EU residents. Less than 10% of the records exposed belonged to people living in Europe.

Of course, 10% of 339 million people is still huge — and the fine reflects that. It represents a whopping 3.2% of Marriott’s gross revenue last year.

Cathay Pacific will be watching these developments with concern. The Hong Kong airline disclosed a breach in October last year that exposed the personal information of 9.4 million customers, which would almost certainly involve more European residents than the BA breach — and also reflects poor security practices.

In a report on the incident published in June, Hong Kong’s privacy commissioner said that Cathay “did not take reasonably practicable steps” to identify a “commonly known exploitable vulnerability”.

“Cathay’s vulnerability scanning exercise … was too lax in the context of effectively protecting its IT system against evolving digital threats,” said Stephen Kai-Yi Wong, Hong Kong’s privacy commissioner for personal data.

A fine of 1.5% of revenues would cost Cathay around US$210 million, while anything above roughly 1.7% would be into record-setting territory.

Managing these types of exposures in complex, global organisations is an increasingly thorny challenge. Another issue arising from the Marriott breach relates to the data liability that companies can incur through mergers and acquisitions, as this particular incident stemmed from a vulnerability in systems belonging to the Starwood hotels group and started two years before it was acquired by Marriott. The ICO found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems afterwards.

“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

The two fines announced this week show that regulators in Europe now have the firepower to take on companies that do not take data protection seriously, and that risk managers around the world need to pay attention. This is not to say that companies will face stiff penalties for any data breach, but that they must take reasonable measures to manage their risk exposure.

“Swift reaction and notification are not enough for regulators anymore,” said Grange. “They will investigate not only on how corporations dealt with the incident but also on prevention and protection measures that were in place to avoid or mitigate these types of incidents.”

It is perhaps worth noting that the BA and Marriott fines were both a result of investigations by the British regulator. While the UK will implement a local version of GDPR after it leaves the EU, the ICO will clearly have less power as a domestic agency than it does when acting as the lead investigator for the EU.

It remains to be seen whether regulators in other EU countries will pick up the ICO’s baton after Brexit.

MORE FROM: Insights
  • Reinsurance rates rising

    • October 18

    The Asia-Pacific rate-on-line index has risen for the first time in nearly a decade, but the good news ends there.

  • China liberalises

    • October 18

    The State Council has scrapped foreign shareholding limits for banks and insurers, effective immediately.

  • Portfolios under pressure

    • October 11

    The challenging investment environment underlines the importance of building resilient portfolios.

  • Thai regulator needs teeth

    • October 11

    The OIC should be given more independence, says the IMF in its latest assessment.