On
The fines follow investigations into well-known data security breaches in 2018. In the case of
ICO and CNIL
This is ICO's first major fine under the GDPR. ICO worked with CNIL under the GDPR's “one-stop shop” provision. Pursuant to the one-stop-shop cooperation mechanism, ICO's draft decisions were sent to other European data protection authorities and carefully examined by CNIL. This is a key process under the GDPR, where the leading authority has to coordinate with and work alongside other European regulatory bodies in countries affected by a breach. Findings and proposed fines are shared by the leading authority with the applicable regulatory bodies, which review the proposed fines and hold discussions with the leading authority on the review process implemented before confirming the proposed fines or recommending revisions. CNIL endorsed the final outcome before the decision, and fines were published by ICO this past week. Under the GDPR, a company subject to a breach is also given an opportunity to argue, comment and make written observations on a proposed fine after being notified of the proposed fine.
ICO levied a fine of Ł18.4 million (approximately
In calculating its fine, ICO took into consideration that (i) Marriott did not gain any financial benefit from the breach, (ii) the nature of Marriott's data security and information technology failures were of significant concern, as there were multiple measures Marriott could have employed to detect the attack earlier and (iii) significant distress was caused to individuals, which was evidenced by the likely cancellation of payment cards and the 57,000 calls received by Marriott's call center following the breach. In reducing the proposed fine, ICO considered (i) the representations made by Marriott, (ii) steps Marriott took to mitigate the impact of the incident and (iii) the economic impact suffered by Marriott as a result of the COVID-19 pandemic. Marriott's mitigation efforts included implementing password resets and enhanced detection tools and disabling accounts known to be compromised. Further, Marriott set up a dedicated incident website in a number of languages and a call center, and took a number of other steps to assist and reassure data subjects. ICO also considered the fact that Marriott had fully cooperated with ICO's investigation.
British Airways Breach and Fine
On
In calculating the fine, ICO took into account
ICO stated that
Takeaways From the ICO and CNIL Fines
Companies who are subject to a breach should:
- Be vigilant about reporting data breaches as soon after they are confirmed as possible, including notifying the relevant Data Protection Authorities, such as ICO or CNIL, if the breached data is subject to GDPR protections
- Take immediate action to remediate the cause of the breach and to mitigate damages, including minimizing any distress caused to individuals as a direct result of such breach
- Actively communicate with data subjects concerning the breach and offer all appropriate relief, such as credit monitoring, in the wake of the breach
As evidenced by ICO's rulings in
Originally Published By
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr
1177 Avenue Of The Americas
Tel: 2127159100
Fax: 2127158000
E-mail: Pmanuele@kramerlevin.com
URL: www.kramerlevin.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source