The Culpability Index (c)
Have you heard about the Culpability Index (c) ? Probably not, because I’ve just invented it after taking a more detailed look at the Information Commissioner’s Office (ICO)’s announcements last week of its intention to fine British Airways and Marriott £183m and £99m respectively for their data breaches.
In the space of two days, last week, the ICO brought the long wait for the UK’s first “GDFP Era” fines (if we disregard the action against SCL aka Cambridge Analytica) well and truly to an end. In fact if they had continued at that rate every working day for a year then the ICO could raise a much-needed £36.7bn for the Treasury.
Opinions vary as to whether the BA and Marriott level of fines (at least 200 times larger than any previous ‘pre-GDPR’ penalties, remember) were to be expected, or just an ‘opening shot’, likely to be reduced either in consultation with the other European data protection regulators, for which the ICO acted as lead regulator, or on appeal. But either way, 8 or 9-figure fines are way beyond the ‘slap on the wrist’ level big brands falling foul of the ICO have grown used to.
That said, the ICO’s decision making process seems typically unclear. BA’s data breach involved the personal data of far fewer EEA data subjects than did Marriott’s (500,000 vs 30 million), but the effective “cost per data subject” for BA was £366 – over 100 times greater than Marriott’s, even though from the information publicly available the sort of data involved was quite similar.
So, why was BA’s failure so much ‘worse’ than Marriott’s? Well , at this stage its hard to tell. The penalties are only proposed at this stage, so the ICO hasn’t provided any detailed explanations for their decisions. But even when penalties are confirmed it’s often not at all apparent why the ICO takes action enforcement action in specific cases and when they do, what it is that decides the level of penalty imposed.
When the ICO is planning to impose penalties running into the tens and hundreds of millions of pounds, however, they will need to. When data breaches occur arguably one of the key considerations is the breached organisation’s culpability. Perhaps the ICO’s view is that as Marriott’s breach was from the cyber insecure database inherited as part of its purchase of Starwood in 2016 then it’s mainly guilty of a lack of proper due diligence. In contrast, anecdotal evidence from within BA suggests that its data security failings were systemic, long-term and predictable – and therefore BA’s culpability was considerable.
Anyway, we’ll see what happens – and if anyone from the ICO’s reading, you can have the Culpability Index (c). For a small consideration.
(If you’re interested in this sort of thing, sign up to receive our Monthly Compliance Newsletter; dedicated to summarising regulation and compliance news and changes for people with more important things to worry about)