Last summer, British Airways’ (“BA”) website and mobile App were hacked, which resulted in the theft of the personal data (including payment card details) of around 500,000 customers. Yesterday, the Information Commissioner’s Office (“ICO”) announced that it intends to fine BA a massive £183 million in relation to the incident for infringements of the General Data Protection Regulation 2016 (“GDPR”). This figure is equivalent to 1.5% of BA’s turnover for 2017.
Largest fine by ICO
BA now has 28 days to appeal the fine. However, even if BA succeeds in getting the fine reduced, it is still going to be the largest fine that the ICO has ever imposed (previously, the league table was topped by the £500,000 penalty imposed on Facebook following the Cambridge Analytica scandal). The difference is that the BA security breaches occurred post 25th May 2018, so the ICO is able to wield the significantly enhanced fining powers that exist under the GDPR.
Claims for compensation
It’s unlikely that the regulatory fine will be the end of the story for BA. The ICO’s decision is also likely to lead to claims for compensation from the 100,000s of customers affected by the security breach. There’s no clear information at present about how many of BA's customers have actually suffered financial loss as a result of the theft of their personal data. However, even without evidence of pecuniary damage, customers will be able to claim compensation for “non-material” loss, such as distress and inconvenience.
What lessons can be learned?
The ICO hasn’t yet published details of how it calculated the fine (for example, what breaches of the GDPR were identified and what mitigating and aggravating factors it took into account). However, even without this level of detail, it’s possible for businesses to learn some valuable lessons from BA’s experience:
- The ICO is not going to be afraid to make full use of its new powers.
- If you are entrusted with personal data (whether relating to your customers, your employers or others), the ICO expects you to do your utmost to protect it. In particular, you need to ensure that you keep abreast of the latest threats and implement measures and processes designed to pick up on unusual activity.
- It appears that the hack which lead to the security breach may have occurred earlier down the supply chain (i.e. as a result of compromised third-party software). So, it’s vital to both chose your suppliers carefully and ensure that you promptly install any updates or fixes provided by them.
- You won’t escape a fine just because you have been targeted by criminals. Also, the fact that you were the subject of a sophisticated hack that was difficult to detect won’t necessarily exonerate you.
- The GDPR requires you to put organisational, as well as technical, security measures in place. This means training your staff and ensuring that you have implemented processes designed to ensure the prompt detection and reporting of potential security breaches, as well as building in protections such as fire walls and encryption.
- The fact that you comply with the new rules under the GDPR for reporting personal data breaches and cooperate fully with the ICO’s investigation is likely to be a mitigating factor when it comes to calculating the level of fine imposed on you. However, such compliance and co-operation won’t mean that you avoid a fine completely.
- It’s important to address the security of your web and mobile applications, not just your internal security.
Bear in mind that in this case, the ICO was dealing with an extremely large organisation which would have had the wherewithal to implement state of the art security. Also, the personal data which was stolen was of a highly sensitive nature (since the hackers obtained enough detail from customers to actually make use of their payment cards). Both these factors will no doubt have influenced the level of fine.
What help is out there?
Perhaps the biggest lesson that can be learned from the BA story is that prevention is most certainly better than cure. If you think you need to review your technical and organisational security measures, an excellent starting point is the information on security included in the ICO’s Guide to the GDPR (which can be found on the ICO website). It includes a handy checklist, as well as links to other useful documents and the government’s Cyber Essentials Scheme.
How to contact us
If you’d like more detailed advice relating to the security obligations imposed by the GDPR, please contact Lowri Phillips at Lowri.Phillips@geldards.com
RELATED: EXPERTISE - GDPR