Travel companies (along with nearly everyone else) have spent the past several years talking up how important and valuable the data they collect about passengers is. New market segments and new profits are to be uncovered once they finally figure out how to properly use all that information. In the mean time, however, protecting that data is a challenge the companies have not performed particularly well at. A pair of fines announced this week by he UK Information Commissioner’s Office (ICO) in its role as lead supervisory authority on behalf of other EU Member State data protection authorities makes it clear that real penalties are coming should companies continue to leak customer data security.
On Monday the ICO announced a record penalty of £183.39mm (~$229mm) against British Airways for the compromised 500,000 passenger records, including passport and credit card details. On Tuesday the ICO followed up with a 99mm (~$123mm) penalty for Marriott, based on the compromised Starwood reservations data warehouse it acquired in the merger of the two hotel giants. In that case the ICO made clear that proper due diligence during the merger process should have uncovered the breach and likely would have protected Marriott from such penalties.
People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights. – Information Commissioner Elizabeth Denham
Not surprisingly, both Marriott and British Airways intend to appeal the fines. Alex Cruz, British Airways chairman and CEO noted, “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data.” Marriott International’s President and CEO, Arne Sorenson struck a similar tone, “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
Both companies call out the criminal nature of the compromise as well as their cooperation with the investigation. Alas, that cooperation will not save the companies much from the fines. Or perhaps it will. The ICO is authorized to penalize a company up to 4% of its prior year revenue for a breach. These two rulings come in well below that threshold, though they are significantly higher than penalties Facebook and Google were recently assessed.
While it is likely the final penalty will be reduced on appeal, the ICO’s position in these two cases show that regulators are finally willing to levy significant penalties when the mandated protection breaks down. A substantial fine that forces companies to take notice might just be the only way to ensure that more investment in data protection happens prior to future breaches.
Will these fines slow the predicted growth of highly personalized marketing offers from airlines or hotels? Will they upset an industry hell-bent on demonstrating its digital savvy without much in the way of practice? Perhaps so, though that may prove good news for consumers.
Also worth noting that the penalty does not go to the affected consumers. That’s not quite as good news for those who saw their data breached.
And lest anyone think that these breaches only happen through crazy computer hacking schemes, here’s a note about a fine levied because a hotel left the list of names eligible for breakfast out on a counter. Whoopsie.