Not all 2018 data protection planning was about GDPR compliance programs.
On 7th September 2018, the same day that BA announced that 380,000 of its customers had potentially been affected by a breach involving website and app customer data, SPG Law, the UK arm of US law firm Sanders Phillips Grossman, demonstrated considerable pre-planning by announcing the launch of a group compensation claim against the airline based on Article 82 of the GDPR. The domain name www.badatabreach.com had been purchased by the law firm within hours of the breach being announced to help advertise its services.
SPG Law's 'no win, no fee' claim will, it says, be brought by way of a Group Litigation Order action with an estimated £1250 available for each claimant. Whether or not regulators decide to fine BA, the company is one of the first to face the prospect of co-ordinated compensation claims since the GDPR took effect in the EU in May 2018, a reminder that percentages of worldwide turnover are not necessarily the end of the story when quantifying data and cyber risks.
The announcement on 30th November 2018 that the Marriott chain has been the victim of a large cyber breach dating back to 2014 shows that businesses operating in the Hotel & Leisure sector are also exposed to such risks. Indeed, the French data protection regulator, the CNIL, published a report in October 2018 which showed that of the 742 data breaches that had been notified to it since the GDPR went live in May 2018 the sector most frequently affected was the hotel sector (185 notifications made were from the sector).
Notifying appropriate regulators and, potentially, those affected by data breach and cyber incidents within the tight timescales imposed by Europe's new laws is challenging and requires well-rehearsed incident plans to be in place. The GDPR potentially is also not the only piece of legislation which needs to be considered. Those who fall within the ambit of laws which implement the Network & Information Systems (NIS) Directive's Digital Service Provider's definition, for instance because they act as an online market place, will also need to consider the incident notification requirements and large maximum fines (£17m in the UK) applicable under those laws.
Those who operate hotels and those whose brands or buildings are used in such operations also need to consider what contractual obligations are appropriate between them. Franchised brand owners for instance are increasingly including GDPR- specific language and liability clauses in their franchise agreements and franchisee manuals.
The BA and Marriott breaches highlight the potential risks posed by group litigation and by GDPR and NIS Directive fines, and the need for those in the Travel and Hotel & Leisure sectors to ensure that their compliance programs were set broadly enough to cope with all three.