APAC

British Airways and Marriott face fines totalling £282m for data breaches

 
 
The airline and the hotel chain are the first companies to feel the (almost) full force of the EU GDPR. One question remains – are the fines insurable?
 
What Happened?
In September 2018, Aon alerted clients [Risk Alert] that about 500,000 customers who had booked flights with British Airways (BA) between June and September 2018 via BA’s website and app had their personal information stolen by hackers. The stolen data did not include travel or passport details, but comprised log in, payment card, and travel booking details as well name and address information. The breach took place shortly after the implementation of the European Union General Data Protection Regulation (EU GDPR) on 25 May 2018. The Marriott breach was disclosed last year but is understood to have occurred between 2014 and 2018, exposing 339 million records, with 7 million British residents among them. The hack targeted a Starwood database before its acquisition by Marriott, a stark reminder of the need for cyber due diligence for acquiring companies.
The Marriott breach was disclosed last year but is understood to have occurred between 2014 and 2018, exposing 339 million records, with 7 million British residents among them. The hack targeted a Starwood database before its acquisition by Marriott, a stark reminder of the need for cyber due diligence for acquiring companies.
The Fine
BA owner IAG Group announced on 8 July that the UK Information Commissioner's Office (ICO) intends to impose a penalty of £183.4 million (~US$230 million), equivalent to 1.5% of global turnover for 2017. Notwithstanding Brexit, the UK has indicated that it intends to follow the EU GDPR, and this was the first significant fine to be made public under the EU GDPR, as well as the largest to be issued by the ICO. The ICO explained that it “has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators.” The watchdog imposed the penalty for non-compliance with the GDPR, adding that data was compromised due to “poor security arrangements” at BA, adding that the airline had co-operated with its investigation and made improvements to security systems.
The following day, it was announced that the intended fine for Marriott would be £99.2 million (~US$124 million), with the ICO stating :“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”
The intended penalties are not final at this stage. Both BA and Marriott have scope to potentially contest the fines at this stage. Wherever the fines land, it will set an important precedent for future penalties under the EU GDPR.
What Happens Next?
The intended fines are less than the possible maximum of 4%, but are still likely to send shockwaves through companies holding the data of EU citizens.
Meanwhile, the ICO has indicated that a further 12 fines are in the pipeline.
The Question of Insurability
A further important precedent which may yet come from this breach is a potential decision regarding the insurability of the fines. The legality of insuring GDPR fines remains a grey area and there is scope for this to be a test case on this matter. The ICO has not prohibited insurance for fines and penalties (unlike the Financial Conduct Authority) and affirmative cover is available under most cyber insurance policies, but the ultimate test is the common law question of whether it is against public policy for the fine to be covered by insurers.
How will the Insurance Market Respond?
Both the aviation and hospitality industries have seen more than their fair share of cyber incidents in recent years and this fine will do nothing to improve insurer appetite for those risks. The implications will be broader for organisations holding EU citizen data if the fine is found to be insurable, depending on how insurers have accounted for the likelihood that EU GDPR fines will be insurable.
Even if the fines are not considered insurable, BA and Marriott are expected to have incurred significant costs already in investigating the breach and notifying affected customers, as well as in legal costs to date. The financial impact will continue with the costs of the appeals as well as the ongoing class action claims against the companies by victims of the data breach (which will only be bolstered by the ICO’s decision).
How will the Insurance Market Respond?
Both the aviation and hospitality industries have seen more than their fair share of cyber incidents in recent years and this fine will do nothing to improve insurer appetite for those risks. The implications will be broader for organisations holding EU citizen data if the fine is found to be insurable, depending on how insurers have accounted for the likelihood that EU GDPR fines will be insurable.
Even if the fines are not considered insurable, BA and Marriott are expected to have incurred significant costs already in investigating the breach and notifying affected customers, as well as in legal costs to date. The financial impact will continue with the costs of the appeals as well as the ongoing class action claims against the companies by victims of the data breach (which will only be bolstered by the ICO’s decision).
How can companies protect themselves?
Review exposure to the EU GDPR – try to get a good understanding of how many records held fall under this regime and ensure that safeguards are in place for that data Test those parts of your system which are responsible for processing or storing sensitive data – payment windows in particular. Consider the adequacy of your current cyber insurance protection to cover the range of losses which a cyber incident can cause – particularly if this fine is deemed insurable. Conduct cyber due diligence when acquiring a company – and explore risk transfer arrangements to manage the financial impact of any exposures you acquire.
 
Contact Us

The One Brief Asia

Commercial Risk Solutions

Health Solutions

Reinsurance Solutions

Human Capital Solutions

Retirement & Investment

Risk Alerts

The Risk Conversation Blog