The United Kingdom Information Commissioner’s Office (ICO) announced substantial security breach fines on two large companies last week. British Airways and Marriott now are feeling the impact for security breaches of customer information in 2018.

UK Hefty Fines Under GDPR for Security BreachesThe £183.39 million ($230 million) fine for British Airways and its parent company, International Airlines Group (IAG), is a record under the GDPR. Four days later the U.K. data authority fined Marriott with a £99 million ($123 million) from a security breach in 2014 but was only found in November 2018.

An item to note is the ICO is the lead supervisory authority working on behalf of other EU State data authorities.  There are questions about what happens once the U.K. does leave the EU.

Under the GDPR, the ICO is allowed to set fines on companies up to 4% of their annual turnover (gross revenue). Marriot’s fine equated to about 3% of its global revenue, while British Airways was about 1.5% of its global revenue.

The largest fine before the British Airlines was £500,000 ($625k) for the Facebook/Cambridge Analytica data scandal. The maximum penalty allowed under the laws before the GDPR.

ICO’s Stance

The BBC reported that Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

While the ICO is allowing Marriot and British Airways to present their cases, the likely hood of having the fines repealed is yet to be seen.

Customers Impacted:

ICO claims the Marriot’s security breach impacted about 30 million EU residents from a total of 383 million guests. British Airways breach affected about 500,000 customers browsing or using online booking.

Both companies maintain they took all the necessary steps to disclose and remediate the criminal act of stealing data. Each company plans to defend themselves to the ICO and if appropriate, present appeals to the fines.

Your takeaways

While the U.S. doesn’t have a GDPR, the U.S. House and Congress are looking at overarching changes to federal security and privacy laws. However, states are enacting their security laws. The below map from the National Congress of State Legislators displays the difference in state laws between 2016 to 2018.

Data Security Laws Map Comparing State by State in 2018 versus 2016

If you are in California and meet the criteria for compliance with the California Consumer Protection Act of 2018 (CCPA), July 1, 2020, is the date which your attention. This date is when CCPA becomes enforceable. January 1, 2020, is the implementation date.

Here is the main point. Don’t fail-first to realize security is no longer that thing for technology. Security and protecting consumers information is the responsibility of the entire company.

In short, WAV Group is a proactive choice who can facilitate all of these challenges, plus we understand your business. Call Victor Lund or David Gumpper to discuss how the WAV Group can assist.

To stay on top of the most important issues facing real estate today, subscribe to the WAV Group newsletter HERE.