On 8 July, the UK Information Commissioner’s Office (‘ICO’) announced its intention to fine British Airways for its well publicised 2018 data breach. This is the first proposed enforcement penalty issued by the ICO under the General Data Protection Regulation (‘GDPR’) and, at GBP 183.39 million, amounts to 1.5% of British Airways’ revenue from 2018.
There has been an initial reaction of surprise at the size of the fine, given the generally positive commentary from industry experts at how the airline handled the incident. Notification appears to have occurred within the 72-hour period of the incident being discovered, and there was frequent and transparent communication with customers. So why are the ICO taking a hard stance on this case?
While not a lot of information has been disclosed at present, the main item highlighted in the ICO’s announcement is that their investigation revealed poor security practices at the airline. This is characterised by a dwell time (the amount of time between the attack first taking place and it being discovered) of around three months. This allowed attackers to continue stealing a large amount of personal data, including payment details, while British Airways and its customers remained completely unaware.
Additionally, it’s important to note that while the figure will make for good headlines, the fine is “only” 1.5% of British Airways’ revenue. This is less than half of the maximum penalty that can be issued under the GDPR, which caps at 4% of global turnover. It is, however, a noticeable step up from the previous Data Protection Act penalty structure, where Facebook were issued the maximum GBP 500,000 fine late last year. Under the GDPR, a maximum 4% fine for Facebook would have equated to GBP 1.75 billion.
As alluded to in the ICO’s announcement, and as discussed in our article ‘Reading the Fine Print’ an organisation’s security controls will be closely scrutinised by data protection authorities following a data breach and will be a crucial contributing factor to the calculation of penalties. Implementing effective security controls, to help prevent a breach and reduce the dwell time for incidents, must be a priority for businesses handling personal data. In addition, a well-rehearsed incident response plan is a crucial part of handling the fallout from an incident, and British Airways’ response to their data breach could be the reason they are facing a 1.5% fine rather than something approaching 4%.
This is just the initial announcement of the ICO’s intentions and British Airways have already declared that they will appeal the fine. It will be a long time before the dust settles and this will likely become an important test case for the regulation.