Managing data transfers from the UK

February 2022

The new International Data Transfer Agreement (IDTA) and Addendum is a sensible evolution of the old SCCs

International Data Transfers – to recap

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

Since the famous “Schrems II” ruling by the European Court of Justice in 2020, this activity has been thrown into disarray. To remind you, this is the ruling which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data. 

Soon after, the European Commission set to work to update the EU SCCs. These were drafted and enacted fairly swiftly taking effect on 27th June 2021. 

What are the new EU SCCs?

The new EU SCCs were expanded to introduce more flexible scenarios: 

  • SCCs are now modular meaning that they can accommodate different scenarios, where you can pick the parts which relate to your particular situation.
  • The SCCs cover four different transfer scenarios, including processors:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

How did this affect the UK? 

On 28th June the UK’s adequacy decision was adopted.  On September 27th 2021, the prior version of the SCCs expired. 

In our webinar last year, it was obvious that everyone was confused. The situation caused by the “Schrems” ruling was compounded by the fact that Brexit had been completed. This meant we could no longer apply the SCCs approved in Europe. The UK needed its own SCCs, but they did not exist. 

The ICO consultation

From August to October 2021, the ICO conducted a consultation to understand how a UK version of these rules should be enacted. Since we had been granted an adequacy agreement by the EU, we all hoped it would be possible to mirror the SCCs arrangements in UK law thus re-instating the means by which we can lawfully export data to places such as the US. 

Anecdotally the resounding view was not to mess with the principles enshrined in the EU SCCs as it would simply add complexity to an already complex situation.

The ICO conclusion

In January, the ICO published the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. To the layperson, the EU’s standards have been adopted. 

What’s included in the Agreement and Addendum? 

    1. The International Data Transfer Agreement (IDTA) replaces the old EU SCCs which were relied upon to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. There are differences to the new EU SCCs – it is a single all-encompassing agreement that incorporates all the scenarios identified in EU SCCs. One can omit sections and there is no requirement for it to be signed. This is most useful for those creating new data transfer agreements.
    2. The UK Addendum is a far simpler document. It is an addendum to the EU SCCs where references to EU laws are replaced by references to UK laws. It allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK. These are useful for those already using the EU SCCs who want a simple addendum to update the legal context. 

When does this come into force?

The IDTA was laid before Parliament on 2nd February 2022. It comes into force on 21st March if there are no objections. To all intents and purposes, it’s in force now. The Information Commissioner Office (ICO) has stated the IDTA and UK Addendum:

“are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval“.

What does this all mean?

In practice, UK businesses can breathe a sigh of relief and get on with their lives. There is clarity at last. Existing agreements need to be updated with the UK Addendum and new ones can be put in place with the International Data Transfer Agreement. There will be an administrative burden, but businesses now know what they need to do.  Good sense has prevailed. 

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

The data breach that cost Marriott £18.4 million – what went wrong?

November 2020

The humongous penalty train keeps rolling – after the £20 million fine for British Airways for GDPR violations, the Information Commissioner’s Office (ICO) has slapped an £18.4 million fine on Marriott International Inc.

In its ruling, the ICO says Marriott made multiple failures in its technical and organisational measures for protecting personal data. The case also highlights how when a business acquires another company it becomes accountable for past as well as present compliance.

An estimated (and staggering) 339 million guest records were affected worldwide, following the 2014 cyber-attack on Starwood Hotels and Resorts Worldwide Inc. It’s estimated 7 million of those affected were UK citizens.

Starwood was acquired by Marriott in 2016, and the attack went undetected until September 2018. The ICO has stressed its ruling relates to infringements after GDPR came into force in May 2018.

As the data breach was notified before Brexit, the ICO was able to act as lead supervisory authority, charged with investigating the breach on behalf of all affected EU citizens.

The penalty was signed-off by other EU data protection authorities, under GDPR’s one-stop shop mechanism for cross-border cases. Moving forward post-Brexit, the UK will no longer be part of the one-stop mechanism.

Why was the fine reduced?

In its original ‘Notice of Intention’ to fine in July 2019, the ICO set the figure at an eye-watering £99 million. The Regulator says this amount was reduced taking several factors into consideration;

  • Marriott’s representations to the ICO
  • The action the hotel group took to mitigate the breach’s impact
  • The economic impact of the COVID-19 pandemic

There are some rumblings the pandemic may be proving a handy ‘excuse’ for the ICO; COVID-19 was also cited in the reasons for reducing the British Airways fine.

This begs the question – did the ICO significantly over-estimate in their initial notices, or are they being kind-spirited due to the current financial and operating climate?

What went wrong for Marriott?

  • In 2014 unknown hacker(s) installed code onto a device in the Starwood systems. This gave them the ability to edit the contents of the device remotely.
  • This was exploited to install malware, giving the attacker privileged access. The attacker had unrestricted access to connected devices across the Starwood network. The attacker then continued to install further tools, enhancing the malicious access.
  • In 2016 Marriott acquired Starwood. The ICO’s ruling reveals Marriott was only able to carry out limited due diligence of Starwood’s data processing systems and databases prior to acquisition (those with acquisition experience will know how challenging robust due diligence can be).
  • In September 2018, the attacker made a move which finally tripped an alert. They exported a table which contained card details on which a security trigger had been set. Such alerts were not in place to automatically trigger on other data sets accessed – for example passport details.
  • Marriott notified the ICO and affected individuals in November 2018 after becoming ‘aware’ of the nature of the breach.
  • The data exfiltrated by the hacker(s) affected data included names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status and loyalty program information.

72-hour data breach notification rules

You may note there was a significant time delay between the trigger being fired in September on Starwood’s systems and Marriott’s notification to the ICO in November.

As part of its representations Marriott challenged the ICO’s initial finding that the 72-hour breach notification rules had been infringed (GDPR Article 33).

This comes down to when a controller can be judged to be ‘aware’ a personal data breach has occurred.

In its final ruling ICO found Marriott was incorrect to claim that;

“The GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the Commissioner. Rather, a data controller must be able to reasonably conclude that it is likely a personal data breach has occurred to trigger the notification requirement.”

However, in ‘this particular case’ taking into account Marriott’s representations the Commissioner decided to make a finding that Marriott had NOT breached the notification requirements.

Key ICO findings

At a top-level there are four key findings in the ICO’s ruling. It’s worth remembering the ruling applies to the period post 25 May 2018, despite historic pre-2018 concerns.

  1. Insufficient monitoring of privileged accounts
    There was a failure to put in place ongoing network and user activity monitoring. The ICO says Marriott should’ve been aware of the need to have multiple layers of security.
  2. Insufficient monitoring of databases
  3. Failure to implement server hardening – the vulnerability of the server could’ve been reduced, for example, through whitelisting.
  4. Lack of encryption – for example, passport details were not encrypted.

If you are interested in the full details, you can read the full ICO Marriott ruling.

The ICO references the National Cyber Security Guidance: 10 steps for Cyber Security, which is a useful resource for any business wanting to make sure their cyber sec is robust.

There’s little doubt the attack Marriott suffered was sophisticated, but the ICO says their investigation revealed how the hotel group failed to put in place appropriate security measures to address such attacks and other identifiable risks to their systems.

Impact on individuals

In its ruling the ICO ruling took into account the nature of the personal data breached.

Despite assurances given and mitigating steps taken by Marriott, the Regulator concluded it was likely some of the affected individuals will, depending on their circumstances, have suffered anxiety and distress. The Ruling also specifically calls out the duration of the breach, lasting as it did a period of 4 years.

What can we learn from this data breach?

The number of people affected, the nature of the data maliciously accessed, the potential distress caused and the size and profile of Marriott… all of these will have played a part in the £18.4 million fine. This is a scalable problem – but for every business cyber security needs to be a priority.

When acquiring a company, due diligence is crucial prior and post-acquisition, but this must be an ongoing process, not a one-off activity.

The fine’s just the tip of the financial iceberg. Marriott will have spent a significant amount on rectifying the breach and mitigating the impact for affected individuals, before we even contemplate the cost of complex and protracted legal representation.

Alongside this hefty financial hit, the hotel group also faces a class action lawsuit from customers who are seeking compensation. If successful, this could prove even more costly.

It’s worth noting the fine would’ve been higher if Marriott hadn’t proactively sent email communications to affected customers, created a data breach website and set up a call centre to provide a data breach hotline.

It’s often said, because it’s true, you can’t underestimate how crucial it is to be prepared for a data breach.  Making sure you have a robust (and tested) data incident plan, being able to effectively and quickly assess the risk posed, plus having a pre-prepared communications strategy and measures to support those affected.

Commenting on the fine, the UK’s information commissioner Elizabeth Denham said;

“Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Marriott says they remain committed to the privacy and security of their guests and is continuing to make significant investments in security measures for its systems. Marriott has not admitted liability for the breach, but has indicated it won’t appeal.

 

Need extra support and advice? We can support with your data incident planning and procedures. Get in touch – we can also provide rapid support should you suffer a data incident which requires effective and quick investigation.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

British Airways data breach – what can we learn?

October 2020

We’ve finally heard the UK Information Commissioner’s Office (ICO) has fined British Airways £20 million for failing to protect personal and credit card data in their 2018 data breach. A breach which affected more than 400,000 BA customers and staff.

A final decision on this has been expected for some time, we just didn’t know what the figure would be until now. The amount is a fraction of the £183 million initially announced in the ICO’s notice of intention to fine. After considering BA’s representations and factoring in the economic impacts of COVID-19 it has been significantly reduced. But it’s still an eye-watering sum, in fact, the largest fine issued by the ICO.

What are the key lessons other businesses can learn from BA’s painful experience?

Information security must be taken seriously at Board level

Modern businesses rely on data more and more to provide quality services for customers and to create competitive advantage.  However, the risks to personal data are numerous, varied and ever-changing. A data breach can massively harm a business’s reputation with its customers, staff and with the world at large.

It’s often said that with power comes responsibility, so businesses need to recognise their roles as guardian and protector of the personal data of their customers and employees. We have to deliver on the promises we make, for example, in our privacy notices. Any steps your business can take to properly protect personal data and demonstrate to staff and the public how seriously you take data protection will help protect them from harm and also may help you to stand out from competitors in these tough times.

Boards need to show leadership by insisting on a strong and vigilant information security regime. I guess that means they need to be prepared to fund it too! It also means asking tough questions about the levels of data protection in place across the organisation.

Rachel Aldighieri, MD of the Data & Marketing Association (DMA), believes this is a wake up call;

“Brexit and coronavirus have put businesses under immense financial strain. A fine of this magnitude will certainly get the attention of Board members of organisations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO. This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.

“Data is a fundamental part of the digital economy, so maintaining its security must be a business imperative. Trust in how brands collect, store and use data is essential to the relationship between businesses and their customers. This message should resonate with businesses now more than ever.”

Security measures must not only be ‘adequate’ but also checked and verified

The ICO said there were numerous measures BA could have used to mitigate or prevent the risk of an attacker accessing their network.

Martin Turner, Managing Director at cybersecurity specialists Full Frame Technology, believes BA missed the basics:

“As with so many serious data breaches, this one was caused by a failure to adopt the most basic security measures, including limiting access to applications, rigorous cybersecurity testing, and protecting accounts with multi-factor authentication.

Login credentials for a domain administrator account were stored in plain text. Software code wasn’t reviewed effectively. These are issues that a cybersecurity audit should have revealed, and BA has yet to explain why this didn’t happen.”

The ICO has (finally) shown us it has teeth!

Could this be a turning point? It’s been a long time coming and many expected it to happen much sooner. The ICO have finally issued a BIG fine more in keeping with the expectations most of us had when GDPR came into force.

Nevertheless, you might feel the ICO has shown a measure of pragmatism, reducing the fine down so much from the original £183m. But it’s not great timing for any business to suffer a body blow like this.

It will be interesting to see what figure the ICO finally decide to fine Marriott International for their Starwood data breach, which first came to our attention around the same time as BA. The ICO’s original ‘intention to fine’ for Marriott was £99 million.

Should we think again about data breach insurance?

You might be thinking afresh about breach insurance. We’d suggest you shop around and pay attention to the fine print, as data breach insurance policies can vary more than you might imagine.

Don’t just look at the price as no two policies are the same and there is little consistency in the way policies are worded. The levels of cover and features on offer can vary significantly. Keep an eye out for exclusions!

One key differentiator you may wish to delve into is the level of support your insurer will provide in the event of a breach or a cyber attack. Do they have a team of specialists in place who will advise and help you to triage a live situation? This is one area where you might get just what you pay for.

This fine was long anticipated and the pandemic has definitely played its part in reducing the final amount. The travel sector has been badly impacted by COVID and £20 million will hit BA hard. BA may decide to appeal against it. It goes to show how important it is to have robust data protection and security measures in place.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.