ICO Issues Multi-Million Pound Fines for Data Breach Failures

The information rights regulator announced two substantial fines for British Airways in September, fining the airline £20m, followed a week ago by an announcement that Marriott International faces an £18.4m penalty.

Kingsley Hayes, head of data breach at Keller Lenkner UK, commented: “The ICO has taken a methodical approach to investigating each of these breaches before imposing a final fine. While British Airways faces the largest data breach penalty to date, followed closely by Marriott International, both organisations will be paying significantly less than the originally proposed figures.

“The Information Commissioner’s Office has considerably reduced the BA fine from £183m while Marriott will be paying £18.4m instead of £99m.

“The financial impact of the pandemic was taken into consideration, alongside the extensive co-operation of both businesses, which purport to have implemented improved security systems to prevent a recurrence.

“The message to businesses remains clear, protect customers’ private information or face hefty consequences. While both BA and Marriott may have successfully avoided far heavier fines, the reputational damage is an additional hidden cost.

“Both will have suffered serious financial losses during the pandemic. While the ICO is taking the Covid circumstances into consideration, it has shown that organisations will still be held accountable for failing to have the appropriate security measures in place.

“Businesses are required to securely collect, store and process personal data – this includes being responsible for the security of private information throughout its supply chain.”

Ends