The penalties come two days after British Airways was fined £183m by the Information Commissioner’s Officer for a separate data privacy breach
The Information Commissioner’s Officer (ICO) is intending to fine the Marriott International hotel group £99.2m for breaching data protection law after exposing 339 million of its guest’s personal data, discovered last November.
In a statement released online, the ICO said it intended to impose the fine for infringing GDPR and that it will “consider carefully the representations made by the company and the other concerned data protection authorities” before it makes a final decision.
But with a fine so large, coming so soon after the ICO announced it was fining British Airways (BA) £183m, will cyber insurers step in to pay these fines?
On whether the fine is covered by insurance, Clive O’Connell partner at McCarthy Denning, said that Marriott has cyber insurance – the question of whether any fine is covered is a vexed one.
He said that the policy needs to be looked at first stating that “many will cover fines provided that the cover of fines is allowed” but this may not be the case for all countries.
He told StrategicRISK’s sister title, Insurance Times: “In English law there is a rule that one cannot insure against one’s own wrongdoing. Clearly one cannot insure against a criminal sanction. That is against public policy. One can almost certainly not insure against a civil fine for one’s wrongdoing. The question is whether one can insure for a strict liability penalty.
“This is a fraught question and one that has not been tested in the context of GDPR. Most commentators believe that such fines will prove uninsurable. That said the size of the Marriott fine is such that, if insurance exists, we may well see this challenged in court
Flexing its muscles
Cyber security consultancy Mactavish said that the ICO is “flexing its muscles” in relation to the two fines – BA and the Marriott.
Bruce Hepburn, chief executive at Mactavish, said: “Two ICO announcements of this magnitude in quick succession make clear the landscape is seriously changing. This should be a clear sign to companies that they need to have robust programmes of insurance in place that can respond to the defence of an ICO investigation.”
“Companies should not just assume cyber insurance will provide cover – the reality is far more complex than that. Cyber insurance can be incredibly valuable to hold in this scenario: even though ICO fines are broadly uninsurable in the UK, good cyber insurance will go so far as covering defence costs, customer compensation and various wider costs of responding to a data breach incident.
“Legal defence costs in particular are likely to be significant if fines continue to escalate, especially where ICO decisions are contested as looks likely in the current cases of BA and Marriott. So, companies need to ensure that the levels of insurance cover that are in place are meaningful. Companies should ask themselves whether they are buying enough insurance to cover these costs and all the expenses that can be incurred in the event of a breach,” he continued.
“But Cyber is also a relatively immature and highly complex insurance product. There are enormous differences in what policies do and do not cover and how that cover works. The circumstances of Marriott International’s data breach – discovered recently, but occurring many years ago, before Marriott’s acquisition of the company – could create multiple challenges to securing cover.
“Companies facing similar situations might be surprised to find out that the cyber insurance they purchased was not as reliable as they supposed. This type of situation could also bring up issues around historic non-disclosure, where the legal duties applying to buyers of insurance have changed since the Insurance Act came into force in 2016 and insurers have recently been gearing up to take more such objections on claims supported by guidance from the Lloyds Market Association,” Hepburn added.
“Across corporate insurance of all classes, insurers dispute nearly half of all large and complex claims. For an immature market like cyber, faced with rapidly evolving risks and what looks like a stark change in stance from the regulator, it is safe to assume this number will be higher still at least over the next few years.”
But Laetitia Fouquet, deputy head of cyber at Charles Taylor Adjusting, believes the ICO’s decision is “setting the tone” with this being the second large fine issued this week to two different companies.
She told Insurance Times: “The ICO notified Marriott of its intention to fine them for £99 million for the breach of GDPR. Although the fine is less than the one imposed on BA, despite the number of guest records being higher (approx. 339 million) the ICO found that Marriott had not secured the data following the acquisition of Starwood in 2016.
“It is for many a surprising result and sets the path for more fines should organisations not extend their due diligence to protect data acquired at the time of mergers and acquisitions. It broadens the accountability and legal duty when acquiring and whilst it may appear unfair to some, the main aim of GDPR has always been to protect data subjects against the misuse of their information and the ICO is therefore intent on applying this strictly and to many different scenarios.
“This should prompt corporates to review not only their cyber covers but also D&O [directors and officers], W&I [warranty and indemnity] or M&A [mergers and acquisitions] policies,” she said.
Reconsidering cyber insurance
Hepburn warned: “All businesses would be well advised in light of these developments to reconsider the case for cyber insurance if they don’t currently hold it. However, whether or not the cover is already in place, it is essential that they take a close look at the detail of the terms and conditions and are clear on what they are and are not covered for.
“Failing to do so and then being hit with an investigation and fine of this level (or potentially higher still in the event of greater perceived negligence) would leave boards exposed to an accusation of negligence in managing what is now a very high-profile exposure. The ICO is clearly getting very serious indeed, and boards need to take notice before it’s too late.”