Earlier this week, the Information Commissioner’s Office (ICO) in the UK announced that British Airways (BA) will be fined £183 million (approximately US$228 million) for a data breach. The figure represents 1.4% of the total revenue BA earned in 2018. The airline is the first major business that has been fined under the European Union’s General Data Protection Regulation (GDPR) that went into effect last year.
A day after the BA announcement, the ICO also revealed that Marriott International would be fined £99.2 million (US$123 million), which is 0.6% of the hotel group’s 2018 revenue.
How the ICO arrived at these figures is quite puzzling, especially when you consider that BA’s data breach affected approximately 500,000 people while Marriott’s affected 339 million people worldwide (30 million in the EU, 7 million in the UK alone). In terms of raw numbers, you’d naturally conclude that Marriott’s penalty would be higher, be it percentage-wise or value-wise. While it’s not unprecedented for the first punitive action to serve as an example, the second instance arriving so soon, and being so markedly lenient in comparison, is bound to raise some eyebrows.
One has to wonder, what was so appalling about BA’s information security that it deserved such treatment? Or, perhaps, the converse is true: what was so “laudable” about Marriott’s data breach that it deserved such charity? A penalty of £99 million may not sound charitable but take into consideration that:
- Dollar-wise, Marriott got fined about half as much as BA,
- 670 times more people were affected by Marriott’s breach than BA’s,
- Marriott’s 2018 revenues are much higher than BA’s, and
- Marriott’s data breach lasted much, much longer.
So, despite Marriott’s security fiasco being much worse than BA’s, the former is being fined much less. Furthermore, because Marriott has higher revenue, the impact of the ICO’s fines is less dire to it than it is to BA.
Whatever the explanation may be regarding the marked difference in monetary penalties, it’s pretty clear that both companies will be contesting the financial charges. Marriott has already announced as much, and British Airways – while it had declared that it was “disappointed” with the outcome on the day the news broke, without mentioning future actions – should find impetus in following suit after this second ICO announcement.
European law has finally given businesses worldwide a very tangible reason for paying attention to data security. Prior to GDPR, data breaches and the costs of dealing with them, as well as assuaging the public and the authorities, was merely part of doing business due to their relatively undersized financial impact.
Taking away a chunk of revenue, an effect that could, accounting-wise, be likened to deteriorating business conditions, should encourage company boards and executives to view the situation differently and to finally start dealing with information security issues the right way.
Related Articles and Sites: