Appropriate technical and organisational measures: key takeaways from the recent ICO BA, Marriott and Ticketmaster penalty notices

The Information Commissioner’s Office (the “ICO”) has recently issued three high profile Monetary Penalty Notices (“MPNs”) in relation to breaches of Articles 5(1)(f) and 32 GDPR. The three fines – totalling £39.65 million - highlight the ICO’s determination to ensure that organisations implement "appropriate technical and organisational measures", and its willingness to take enforcement action against those that fail to do so:

• On 16 October 2020, the ICO issued its largest fine to date - £20 million - to British Airways plc (“BA”), in relation to a data breach in 2018 in which the personal data of around 430,000 of BA’s customers was compromised by a hacker gaining access via systems used to permit staff/contractors to work remotely. Please find more detailed analysis of the BA MPN here.
   
• Just two weeks later, Marriott International Inc (“Marriott”) was fined £18.4 million in relation to a cyber-attack on Starwood Hotels Resorts Worldwide, Inc (“Starwood”), which started in 2014 and remained undetected until September 2018. This cyber-attack led to personal data belonging to approximately 339 million customers being exposed. Please find more detailed analysis of the Marriott MPN here.
   
• Most recently, on 13 November 2020, the ICO issued Ticketmaster UK Limited (“Ticketmaster”) with a MPN, fining the ticket sales and distribution company £1.25 million for breaches relating to a cyber-attack which took place in the first half of 2018 and compromised the personal data of up to 9.4 million customers. Please find more detailed analysis of the Ticketmaster MPN here.

The key takeaway from this triumvirate of decisions is that: (1) there is a well-developed body of jurisprudence setting out the steps which the ICO considers data controllers processing significant volumes of personal data, particularly payment-related data, need to take to have in place "appropriate technical and organisational measures" to secure the personal data which they are processing; and (2) failure to take such steps will have significant financial consequences in the event of a substantial data breach (in Ticketmaster's case this involved a fine of approximately 1% of its worldwide turnover in the relevant period).

Our detailed analysis of these decisions also highlights:

• The trend of reductions between the fines proposed by the ICO in a Notice of Intent (“NOI”) and the final figure in the MPN (in BA’s case, for example, there was an 89% reduction);
   
• The useful guidance provided in the Marriott MPN as to how organisations should determine whether to notify relevant Supervisory Authorities for the purposes of Article 33 GDPR;
   
• The importance of robustly challenging the findings in an NOI, an approach which bore fruit in each case (either knocking out or shifting the focus of the ICO’s findings);
   
• In respect of the BA and Ticketmaster MPNs, the fact that the breaches arose from issues relating to third parties involved in their supply chains, and the ICO’s lack of receptiveness to arguments that this fact obviated BA and Ticketmaster’s responsibilities as data controllers in any way; and, perhaps most importantly;
   
• The possibility of the fines imposed by the ICO being eclipsed by liabilities arising from civil claims in respect of the breaches.