The fall-out from the 2018 data breach that saw the information of hundreds of thousands of British Airways (BA) customers stolen has not yet fully settled, but a significant milestone along the way was reached on 16 October 2020, when the Information Commissioner’s Office (ICO) announced that its proposed fine of £183m would be reduced to just £20m, but the decision has far-reaching implications for future victims and regulators under the General Data Protection Regulation (GDPR).
In a 114-page document detailing its decision the ICO set out a litany of cyber security failings at BA but recognised its swift and appropriate response once it was notified of the incident. Its decision also acknowledged the impact of the Covid-19 pandemic on the airline’s financial situation.
Byrony Long, a partner at law firm Lewis Silkin, described the reduction in the fine as a win for BA, considering the magnitude of the security failings that took place there. “This decision just demonstrates there is clear room for manoeuvre once an ICO notice of intent is issued and we suspect BA will be happy with this result,” she said.
Vanessa Barnett, commercial and IP partner at Keystone Law, said: “In the grand scheme of things, it’s important that the punishment fits the wrongdoing: whilst the GDPR certainly has teeth and can really bite quite hard, it’s great to see the ICO continuing with its attitude of proportionality that existed pre-GDPR.
“Don’t forget that before GDPR the statutory limit was £500,000. £500,000 to £20m is a big jump and will still very much focus the mind. The ICO may have felt some moral pressure not to whack BA even more in the midst of a global pandemic which is affecting it hugely and luckily, its enforcement framework allows that.”
Britt Endemann, co-head of data governance, technology solutions, forensics and IT at the Forensic Risk Alliance, which specialises in data breaches, privacy, transfer and protection, said: “The UK ICO guidelines have always been clear that their GDPR fine regime would take into account the affordability of a penalty and its economic impact on a business.
“Given the enormous repercussions of the pandemic on the travel and aviation sector, a significant fine reduction doesn’t come as a surprise.”
But Ann Bevitt, a partner at law firm Cooley, disputed these viewpoints. “Some 15 months after the ICO indicated that it was going to fine BA £183m for a security breach affecting more than 400,000 customers, its announcement that the actual fine will be just over 10% of that sum seems a little surprising,” she said. “Although it is, at £20m, by far the highest fine the ICO has levied to date, it is significantly less than the Hamburg data protection authority’s recent fine of €35m regarding H&M’s monitoring of hundreds of employees.
Bevitt suggested that this might mean impact of the pandemic had been a substantial deciding factor for the ICO in softening its approach. “However, the ICO’s pragmatism may mean that this fine does not have a significant deterrent effect on other companies which are not in compliance with the GDPR,” she said.
Endemann at the Forensic Risk Alliance forecast that the ICO’s decision may have repercussions for the regulator – and thence data protection law – because the scale of the reduction raised questions over whether the ICO had arrived at the right decision to begin with.
“These headlines, and the perception of backtracking, could begin to undermine the credibility of the ICO, leading consumer groups and others to question its efficacy,” she said.
“Given their increased regulatory powers, it’s important that the ICO are able to balance deterring bad behaviour, with being proportionate. The enforcement actions of other regulatory bodies around the world provide an effective blueprint on acting authoritatively whilst also working effectively with the companies themselves. This will be key in protecting consumers as well as maintaining their support,” she said.
This was also the view taken by Matt Lock, UK technical director at Varonis, who said: “By dropping the size of the fine by £163M due to the current climate it could be argued that ICO have taken a lenient approach. This opens the doors for all sorts of confusion with future fines, and organisations will be well within their rights to argue more leniency.
“The timing is also insensitive and will not paint the ICO in a good light, regardless of their objective to keep us safe. They’ve had months and months to determine how they progress with this fine, and they choose now, in the middle of a major crisis, to slap BA with a fine.”
Class action suit
The reduction in the fine also adds fuel to the ongoing class action lawsuit against BA, said Long at Lewis Silkin.
“Completely separate from the £20m fine by the ICO, British Airways customers, and indeed any staff impacted, are likely to be entitled to compensation for any loss they have suffered, any distress and inconvenience they have suffered, and indeed possibly any loss of control over their data they have suffered,” she said.
“This might only be £500 a pop but if only 20,000 people claim that is another potential £10m hit, and if 100,000 then £50m. So whilst a win today, this is very much only round one for BA.”
Darren Wray, co-founder and CTO of privacy specialist Guardum, said it was easy to imagine many of the breach’s actual victims would be put out by the ICO’s decision.
“Many will feel their data and their fight to recover any financial losses resulting from the airline’s inability to keep their data safe has been somewhat marginalised,” he said.
“This can only strengthen the case of the group pursuing a class action case against BA. The GDPR and the UK DPA 2018 do after all allow for such action and if the regulator isn’t seen as enforcing the rules strongly enough, it leaves those whose data was lost few alternative options,” said Wray.
Cyber security failings biggest cause of GDPR fines
Meanwhile, analysis conducted by data management firm Exonar has shown that cyber security failings, such as what happened at BA, were by far and away the biggest cause of fines levied by European data protection regulators under the GDPR.
The firm said that 39% of GDPR-related fines came about as the result of insufficient security measures, totalling over £185m to date, compared to 26% of fines totalling £123.7m that resulted from unsecured and over-retained data.
Unlawful use of personally identifiable information (PII) and/or failure to comply with a Data Subject Access Request (DSAR) was found to be behind 19% of GDPR fines, totalling £92m. The remaining 16% of fines, totalling £77m, were due to other issues, such as Uber’s failure to report a breach in a timely manner, or H&M’s snooping on its staff.
“Securing your data first can play a vital role in not only meeting GDPR standards but also help mitigate the risk of the insufficient security – as it will be harder for hackers to access any data in the event of a breach,” said Exonar CEO Danny Reeves.
“Many organisations simply don’t know what data they’ve got, or how much over-retained data they hold because it is no longer visible,” he said. “Dark data like this is a point of weakness in any organisation – and in order to fully secure the data, organisations need to first get a clear understanding of what data they hold.”