search.noResults

search.searching

dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
WORDS IAN SKUSE


LEGAL


E


LIZABETH DENHAM, the information commissioner, has been flexing her muscles with proposals for fines arising out of substantial data breaches. The Information Commissioner’s Office (ICO) has stated that financial penalties are intended to be “effective, proportionate and dissuasive”, and are levied on a case-by-case basis. Here is a selection of ICO decisions that have made headlines, alongside some by the ICO’s US counterpart, The Consumer Financial Protection Bureau.


FACEBOOK In the US, Facebook is likely to face a US$5 billion penalty for the Cambridge Analytica data breach. Facebook discovered the misuse of information in 2015 but did not correct it for more than two years.


EQUIFAX Following a £500,000 fine in the UK by the ICO, consumer credit reporting agency Equifax


FINES DEL IVE R GDPR MESSAGE


Huge fines for data breaches should prompt TMCs to put GDPR at the top of the agenda


is likely to face a US$800 million fine under the US regime. The Consumer Financial Protection Bureau has indicated it will require Equifax to pay US$380 million into a fund to compensate customers, US$80 million of which is for legal costs. It will also pay US$290 million in state penalties.


MARRIOTT INTERNATIONAL In July, the ICO proposed a fine of £99.2 million, following Marriott International’s report in 2018 that personal data, including credit card details, passport numbers and dates of birth, had been breached prior to its acquisition of Starwood Hotels. The hack related to 30 million guests in 31 countries, 7 million of whom were UK residents. The ICO said Marriott failed to carry out adequate due diligence when it acquired Starwood. Marriott is appealing the decision.


BRITISH AIRWAYS The ICO proposed a fine of £183 million for the compromise of personal data, which it said was caused by British Airways’ poor security arrangements,


buyingbusinesstravel.com


including logging name, address, payment card and travel booking details. BA notified the ICO in September 2018 that users of the BA website had been diverted to a fraudulent site where personal data was harvested. The proposed fine represents 1.5 per cent of BA’s worldwide turnover for the financial year ended 31 December 2017. BA responded that the cause of the data breach was a criminal act to steal customer data by third parties and did not involve the BA website. BA confirmed there was no evidence of passengers’ accounts being affected by fraudulent activity. In the wake of these decisions,


law firms are queuing up to recruit consumers to join class


actions in the courts against corporates, such as BA, that have suffered data breaches.


SURVIVING IN A GDPR WORLD Business travel involves the transportation of personal data between the corporate buyer, the TMC and the end supplier, and involves relationships between data controllers, processors and sub-processors, and suppliers often out of any EU jurisdiction. When managing data transfer by written contracts containing risk compliance and indemnities,


corporates should look to: ●


it is kept? ●


A continuing data audit – what data is received, for what purpose, and how securely


Review data security systems, including password security, training and review of systems. All the necessary anti-virus and anti-malware software needs to


be installed. ●


encrypted. ●


Personal data should be


Corporates, TMCs and suppliers should have vigorous commercial agreements in place which indemnify the


party in default. ●


Cyber insurance – offering financial assistance and support when these events occur.


THE ICO SAID MARRIOTT FAILED TO CARRY OUT


ADEQUATE DUE DILIGENCE


Ian Skuse is a partner in Blake Morgan’s Travel team (blakemorgan.co.uk) He welcomes your feedback: ian.skuse@blakemorgan.co.uk


2019 SEPTEMBER/OCTOBER 153


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84  |  Page 85  |  Page 86  |  Page 87  |  Page 88  |  Page 89  |  Page 90  |  Page 91  |  Page 92  |  Page 93  |  Page 94  |  Page 95  |  Page 96  |  Page 97  |  Page 98  |  Page 99  |  Page 100  |  Page 101  |  Page 102  |  Page 103  |  Page 104  |  Page 105  |  Page 106  |  Page 107  |  Page 108  |  Page 109  |  Page 110  |  Page 111  |  Page 112  |  Page 113  |  Page 114  |  Page 115  |  Page 116  |  Page 117  |  Page 118  |  Page 119  |  Page 120  |  Page 121  |  Page 122  |  Page 123  |  Page 124  |  Page 125  |  Page 126  |  Page 127  |  Page 128  |  Page 129  |  Page 130  |  Page 131  |  Page 132  |  Page 133  |  Page 134  |  Page 135  |  Page 136  |  Page 137  |  Page 138  |  Page 139  |  Page 140  |  Page 141  |  Page 142  |  Page 143  |  Page 144  |  Page 145  |  Page 146  |  Page 147  |  Page 148  |  Page 149  |  Page 150  |  Page 151  |  Page 152  |  Page 153  |  Page 154  |  Page 155  |  Page 156  |  Page 157  |  Page 158