"Surprised and disappointed” was British Airways’ (BA) response to the news that, following an extensive investigation into the cyberattack on BA in 2018, they would be the first organisation to be fined by the Information Commissioners Office (ICO) for infringements of the General Data Protection Regulation (GDPR).
In September 2018, BA discover they have been subjected to a sophisticated, malicious and criminal attack on its website and app, that dated back to June 2018.The hackers were able to direct BA customers to a false and fraudulent website where they stole the personal data of around 500,000 individuals.
BA reported the incident to the ICO, within 24 hours of becoming aware of the attack (GDPR allows up to 72 hours), initially believing that the number of individuals affected was around 380,000. However, it later transpired that this number was higher and that personal data such as names, email addresses, credit card numbers, expiry dates and the CVC / CVV codes found on the back of credit cards had been stolen.
The ICO’s findings
The ICO’s investigation found that information was compromised by poor security arrangements at BA with the Information Commissioner, Elizabeth Denham, saying:
"People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
As such, the ICO issued a notice of its intention to fine BA £183.39 million for infringements of the GDPR.
BA have made it clear that they intend to appeal any fine issued. The ICO will therefore carefully consider the representations made by the company and the other concerned data protection authorities before it makes its final decision.
The value of this fine will likely shock many, however one cannot ignore the seriousness and potential impact of the offences. This fine not only shows the true cost and power of GDPR in practice, but also that the ICO will not be afraid to flex its enforcement muscles, when it deems punishment is required.
It is interesting to note that, whilst the ICO may be using BA to show how they will handle data breaches, this is not the maximum fine that could have been issued. Under GDPR, the ICO could have issued a fine equivalent to 4% of BA’s annual global turnover, but the £183m represents just 1.5%. I suspect that part of the reasoning behind not hitting BA with the maximum possible fine would be due to the serious damage and financial hardship that such a fine could cause, the impact of which could potentially lead to job losses, as well as having a negative effect on an already turbulent economy.
To put the nature of this fine into perspective, previously, the largest fine issued by the ICO was £500,000. Had the ICO issued BA with the maximum fine, then that would be in the region of £500 million. However, it is important to note that this fine is not the only financial repercussion facing BA.
Article 82 GDPR provides for a data subject to have the right to claim compensation for any material or non-material damage suffered in the event of a data breach. It would be the responsibility of the individuals affected to seek such compensation and any pay out would be in addition to the ICO’s fine.
As such, in September 2018, law firm SPG said it was taking a group action against BA to claim compensation for customers who suffered as a result of the data breach. It estimated that each individual might be able to claim up to £1,250 in compensation from BA with some reports claiming that the total claim could be as high as £500 million.
BA will likely have applicable insurance to cover the cost of any compensation claim, however, it is important to note that the ICO fine would be uninsurable and, as a result, would directly impact BA’s balance sheet, causing a knock-on effect to its shareholders, the services provided by BA as well as likely increasing the cost of insurance premiums. The impact could also trickle down to holiday makers and businesses by way of increases in the cost of flights and holidays.
The next couple of years will be an indicator as to how much damage this will actually cause BA. If the public has lost its trust in BA then competitors such as Virgin, TUI or Emirates will look to take advantage which could lead to previously loyal BA customers choosing to fly with alternative providers. What is clear is that only time will tell.
How can Berry Smith help your business?
The ICO’s fine should make organisations look more carefully at "data risk" when evaluating potential sales, marketing or customer service gains.
However, as a law firm, we are still finding many organisations with insufficient policies and procedures in place to implement the elements of GDPR. Data protection should be a fundamental cornerstone embedded into each organisation and this fine will hopefully act as a wakeup call.
Organisations need to invest in appropriate technical and organisations procedures as well as ensuring that their staff are adequately trained whilst also having in place necessary and applicable contractual documentation. A failure to do so could hit organisations hard, both financially and in respect of reputational damage.
The message is clear - if you don't treat your customers' data with the utmost care you should expect severe punishment when things go wrong. The question to ask yourself is, "it worth the risk?"
Berry Smith has a team of expert lawyers specialising in Data Protection who are able to guide you through the complex nature of Data Protection and the GDPR and assist your business with demonstrating accountability and GDPR compliance. Amongst other things, we can advise you on the issues that need be addressed, how to prevent Data breaches, the documents an organisation should have in place and how to demonstrate your compliance.
For further information on this and all queries about GDRP please contact either Dan Dowen at firstname.lastname@example.org or Philip Griffiths at email@example.com or alternatively please call 029 20 345511 and ask for the commercial team.
Dan Dowen - Associate Philip Griffiths - Senior Consultant