U.K. Regulator on Why It Is Pursuing Record Fines Against BA, Marriott
July 10 2019 - 4:59AM
Dow Jones News
By Catherine Stupp
BRUSSELS -- U.K. Information Commissioner Elizabeth Denham said
her office considered cybersecurity gaps, among other factors, in
proposing that Marriott International Inc. and British Airways'
parent company pay the biggest fines to date under Europe's
data-privacy laws.
In an interview with WSJ Pro Cybersecurity, Ms. Denham said the
companies' size, the number of people affected and the length of
time that hackers had access to data before they were detected
factored into the U.K. regulator's calculation of the potential
fines, revealed this week.
International Consolidated Airlines Group SA faces a $230
million penalty for General Data Protection Regulation violations,
while Marriott would be on the hook for $124 million related to
poor security measures. Both companies disclosed the data breaches
in question last year.
The companies have 28 days to respond before the U.K. regulator
issues its final decisions, and they can appeal. Marriott said it
would contest the planned fine. International Consolidated
Airlines' chief executive said Monday that the company would defend
British Airways' position.
Here are excerpts of Ms. Denham's conversation with WSJ Pro:
Q: The fines you proposed would be the highest GDPR fines to
date. What factored into the assessments?
A: The number of individuals affected, the severity of the
attacks, how long people were on the site doing malicious things
with data before it was discovered. We looked at their rigor in
terms of prevention of these kinds of attack. We also looked at the
long-term implications for people. We obviously looked at the size
of the company, their turnover. Our fines have to be effective,
proportionate and dissuasive. For a fine to be dissuasive against a
company that has a turnover in this stratosphere, we have to
provide the fine accordingly. This is not a small business. This is
not a charity. This is a large business that you'd expect would
take care of personal data.
Q: British Airways and Marriott said they hadn't detected cases
of fraud involving data stolen from them, which is counter to
findings from some cybersecurity researchers who say data from
those breaches is for sale on the dark web. Do you take into
account such statements from companies?
A: We look at the opportunities for misuse of compromised data.
In the Yahoo breach, which happened in 2014, it took three years to
find a huge cache of personal data that was for sale on the dark
web....That's not what we're measuring. We're not saying, can you
prove a link between the compromise of the data and that specific
cybersecurity incident? It sometimes takes years. That's not our
focus. Our focus is whether or not there was adequate, reasonable,
consistent, effective data security to protect people's data.
Q: Do you have technical experts who look for stolen data on the
dark web as part of your investigations?
A: We do. We have a whole tech policy team; we have a lab that's
disconnected from our own servers that's looking at all these
issues.
Q: Some experts say security failures at British Airways that
led to the cyberattack are common for e-commerce companies. Does
failing on basic security measures mean a company could face a
higher fine?
A: There are 100 pages behind our intention to fine, but that's
not in the public domain....We found some fundamental failings in
data security in both of the companies....They have to be
PCI-compliant [adhering to standards for handling payment-card
data]. They have to have protection because they run loyalty
programs, because they've got the financial data of millions and
millions of people....Some critics would say the company was a
victim of criminal activity....That's for the police to
investigate. For us, we look at whether or not the doors were left
open to make it easy for cyberattacks, whether or not the attack
was foreseeable, what kind of due diligence and steps were taken in
the data security program.
Q: What's most frustrating?
A: So many of our investigations are finding basic or a lack of
cybersecurity hygiene, lack of some of the most basic protections
that people would expect, encryption of credit card data. The CVV
codes on credit cards at British Airways were open. They were not
encrypted. There's payment card industry standards that require
that. Do we look at what other companies are doing? If everyone's
at this really low common denominator, do we take that into
account? We do look at what the industry is doing. We do look
across the retail sector versus the tech sector versus the
automotive sector and the transportation sector.
Q: Are you going to announce other major GDPR decisions
soon?
A: We have a number of other investigations and enforcement
actions in the pipeline. There will be some more fines that are
going to come out over the summer....We didn't disclose this fine
for British Airways nor did we disclose it for Marriott. Those
companies had a confidential notice of intent and they had market
obligations to disclose it. They decided. So we followed up with a
statement. That's why you don't see the full report with all the
details. Usually this is a confidential exchange.
Q: Statements from your office about British Airways and
Marriott said the companies improved their data security since
these incidents. Did those changes factor into your fines?
A: We fined Facebook GBP500,000 for their role in the Cambridge
Analytica/ Facebook disclosure election misuse of 87 million
people's data. That was our maximum fine that was available to us
[before GDPR went into effect in May 2018]. That's not dissuasive,
is it, for a company like Facebook....They have made some changes
but I think we have to make a very strong statement to the market
and companies about their GDPR obligations. It has to be a
proportionate fine. But we're open to hear what companies have to
say. That's the process.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
(END) Dow Jones Newswires
July 10, 2019 05:44 ET (09:44 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
International Consolidat... (LSE:IAG)
Historical Stock Chart
From Apr 2024 to May 2024
International Consolidat... (LSE:IAG)
Historical Stock Chart
From May 2023 to May 2024