Data Protection News April 2020

Q1 2020 Round-up of Data Breaches and Fines
Marriott and BA ICO Fine Decisions - Further Delays
Cyber Security and Data Protection Pandemic Tips
April 8 2020

Data Breaches

The number of Data Breaches reported in the media during Q1 2020 was 82, with an estimated 3 billion records breached. The biggest global breaches from Q1 were:

  • January – Microsoft discloses security breach of customer support system (250 million records)
  • February – Estee Lauder leaves database publicly available online (440 Million records)
  • March – Chinese micro-blogging site Weibo had 538 million records leaked

ICO Fines

Q1 2020 only had 3 fines issued from the ICO but they were all £500,000.  DSG Retail and Cathay Pacific received their fines for inadequate security measures. CRDNN received theirs for making 193 Million nuisance calls.

For more detailed information about ICO fines visit:

GDPR Fines

In Q1 2020 there were 51 GDPR fines across Europe, including:

  • Just under €28 Million to an Italian Telecoms provider
  • An €8.5 Million fine to an Italian utilities company
  • The Data Protection Authority of Sweden fined Google €7 Million for failing to remove search results when requested

Marriott and BA Decision Delayed

In July 2019 the ICO announced its intention to fine Marriott International £99M and British Airways £183M after both firms suffered separate data breaches. There was a 6-month consultation period and decisions were supposed to be taken in January 2020.  This was originally delayed until March 31st with further delays having now been announced.

The BA decision has been pushed back to May 18th. BA have previously stated that they will fight the fine and they are also now also facing an existential crisis with a grounded fleet and a global economic downturn.

The Marriott decision has now been slated for 1st June and on the 31st March 2020 Marriott revealed that they had suffered another data breach during January and February, affecting 5.2 million guest records worldwide.

Cyber Security and Data Protection Pandemic Tips

Cyber Tips for Covid-19

During the pandemic, we are facing a paradigm shift toward working from home as the rule, rather than being the exception.

Organisations are scrambling to deploy managed devices to their staff and we will see a rise in the number of employees using their own devices for home working. Here are 6 tips for staying cyber-safe during this time.

Manage Risk: assess risks and mitigate vulnerabilities, both independently and among key supply chain or service partners.

Business Continuity: to what extent are you following your BC Plan? This is a good opportunity to review it, in relation to how well it has worked.

Be wary of phishing attacks: raise awareness with your staff that there are criminals pretending to provide pandemic updates or pretending to be utility providers offering free services.

For remote working, consider and remediate:

  • Licensing implications
  • System capacity
  • Authentication mechanisms
  • Endpoint security
  • Physical security of home offices
  • File sharing methods

Collaboration tools: understand and identify use cases and clarify which tools should be (and should not be) used for business purposes.

Communications: Be clear, concise and transparent with communication to customers, partners and employees. Limit misinformation by only using trusted resources such as the WHO.

There is a set of guidance available from the National Cyber Security Centre, found here.

Lock-Down Down-Time

Covid-19 has affected companies in extremely different ways. Some have effectively shut down whereas others are experiencing a peak in demand and workload.

For those smaller organisations whose work has slowed down, but still want to be productive, here are 5 things that you could be doing to shore up your data protection compliance levels.

  1. Review your Data Protection and Information Security policies. Make use of templates and recommended best practice.
  2. Document all your technical and organisational security measures in one place. This will streamline your ability to respond to an audit or fill out security due diligence questionnaires.
  3. Review your Record of Processing Activities. Catalogue your main personal data processes, and for each one, capture:
    • The purpose and lawful basis
    • Categories of data subjects
    • Third parties disclosures of the data
    • International transfers and safeguards
    • Data retention durations
    • Security and access control methods
  4. Review your privacy notices. Ensure they have all the requisite information and that they are being served up to data subjects when you capture their data.
  5. And finally, update your subject access request processes to cater for any changes resulting from remote working.