BA data breach

The Information Commissioner’s Office announced that it intends to fine British Airways for infringements of the GDPR.

Executive summary

On Monday 8 July the Information Commissioner’s Office (ICO) announced that it intends to fine British Airways (BA) £183.39 million for infringements of the General Data Protection Regulation (GDPR). The proposed fine relates to a cyber incident notified to the ICO in September 2018, which in part involved user traffic to the BA website being diverted to a fraudulent site. As a result of the incident, personal data of approximately 500,000 customers was compromised including log in, payment card and travel booking details as well as name and address information.

The facts

The ICO’s investigation found that BA had poor security arrangements in place to safeguard customer data. This would constitute a breach of Article 32 of the GDPR which requires data controllers to take appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Specific details regarding the nature of the GDPR infringements are not yet available and it will be interesting to see the ICO’s comments on these when its final decision is published.

BA and other concerned EU member state data protection authorities have 28 days to make representations before the ICO takes its final decision but if the fine stands, it will be about four times larger than the next biggest fine issued under the GDPR through the French Regulator against Google in January this year. The scale of the intended fine has come as a shock to some, not least to BA itself whose CEO, Alex Cruz, was quoted as saying:

“We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

However from a regulatory perspective the data breach could not have come at a worse time for BA; its status as a household name with deep pockets made it a perfect target for a regulator looking to make an example of a company who failed to comply with the new regulatory landscape. The information commissioner, Elizabeth Denham, has not held back in her criticism of BA, commenting:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Whatever the final figure, this fine will inevitably act as a benchmark for future GDPR fines issued by the ICO. The intended fine is 1.5% of BA’s turnover for the 2017 financial year and there are a number of mitigating factors that the ICO no doubt bore in mind when setting the fine, including BA’s co-operation with the investigation, the fact that it has made improvements to its security arrangements since the events came to light and the fact that (according to BA) there was no evidence of fraud or fraudulent activity on accounts linked to the theft.

The maximum fine that can be levied under the GDPR is EUR 20 million or 4% of the company’s total annual worldwide turnover for the preceding year (whichever is greater). The ICO could therefore have fined BA almost £500 million if it had exercised its powers to the fullest extent permitted. Prior to entry into force of the GDPR, the maximum permissible fine was only £500,000.

The ICO has stated that it does not intend to use its powers under the GDPR to put companies out of business and it certainly appears that BA, which last year made an operating profit of £1.96 billion, will be able to withstand the fine. However it is clear that the ICO will not shy away from levying large fines on businesses if it thinks their conduct merits it.

The fine gives rise to a number of interesting implications. This is good news for the claimant law firm community which has been encouraging affected individuals to make distress claims against BA. Under Article 82 of the GDPR and section 168 of the Data Protection Act 2018 anyone who suffers distress as a result of a contravention of the GDPR is entitled to compensation. The ICO’s decision is prima facie evidence that a contravention has occurred. It remains to be seen whether these firms can overcome the procedural obstacles required to bring compensation claims en masse for GDPR contravention but if they can, distress claims may become a very profitable line of business. The extent to which BA will be able to pass on some or all of these losses to its insurers (and, if so, which insurers) remains to be seen. It will also be of interest to see whether BA’s shareholders seek to pass the fine onto BA’s directors (and by extension its Directors & Officers insurance policy). In the past attempts to pass on regulatory fines to directors have tended not to be successful but the legal position remains unresolved.

Comment

If ever there was a time to review your data security policies and procedures, this is it. Having a cyber insurance policy will certainly help, but an ounce of prevention is worth a pound of cure. A pro-active approach to GDPR compliance will help prevent any issues from occurring in the first place and put you in a better position to respond in the event a data breach or other data event occurs. Through our innovative CyXcel product, we can assist with all aspects of data breach preparedness including drafting policies and procedures, preparing a data breach response plan through to resilience and penetration testing through our team of carefully selected partner organisations.

If you would like to learn more about the case in question or our services please contact;

Share on Twitter