British Airways - the ICO shows its teeth

This morning the Information Commissioner’s Office announced that it intended to impose a fine of £183.39m on British Airways in respect of the well-publicised data breach, in which, beginning in June 2018, the data of 500,000 customers was compromised.

This morning the Information Commissioner’s Office announced that it intended to impose a fine of £183.39m on British Airways in respect of the well-publicised data breach, in which, beginning in June 2018, the data of 500,000 customers was compromised. This fine amounts to approximately 1.5% of BA’s worldwide turnover.

This seems to have hit BA - and one expects - the market, with some surprise. Whilst the ICO has not yet published the details of its decision it appears to have based the fine on pre-existing poor security arrangements that enabled the attack. It notes BA cooperated with the investigation and has since made improvements. Indeed, despite the size of the fine, it appears that BA successfully reported the breach within the required period and broadly proceeded to implement an effective incident response plan. BA’s chairman and chief executive, Alex Cruz, has defended the airline’s response stating the company "responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft”.

There was a great deal of fearmongering in advance of the GDPR coming into force, and a particular focus on the potential levels of the fines, which - lest you need reminding - can go up to the higher of €10m or 2% of global turnover in the standard range, or the higher of €20m or 4% of global turnover in the higher range. However, that appeared to have settled down in recent months. As of March 2019 roughly €56m of fines had been imposed (of roughly 206,000 cases reported). The vast majority of which was attributable to the previous highest single fine which was imposed by the French National Data Protection Commission (CNIL) on Google in January for €50m (approximately 0.0125% of the maximum possible, roughly $4bn fine). Others have been more limited still: a Portuguese hospital was fined €400,000 in December 2018, and a German social media company was fined €20,000 in November 2018.

It is also far in excess of any fine imposed in this sphere in the UK to date; the ICO’s previous highest fine was for £500,000 against Facebook last year - albeit that this represented pre-GDPR conduct. The FCA’s previous highs in the broad cybersecurity / data protection area have been £16.4m against Tesco in 2016 in respect of a cyber attack in which £2.26m was stolen but no data compromised and £2.27m against Zurich Insurance in respect of a data loss incident.

All in all, this represents a significant ramping up in what some companies might perceive as the “threat level” coming from the ICO.

The ICO’s enforcement notice has not yet been published (and we will return to this analysis when it is) but it will be particularly interesting to see the ICO’s rationale for the level of the fine and (potentially) shake up in expectations it represents. However, whilst we doubt the reasoning below will take great precedence in any official document, we would suggest the below are significant:

  • announcing the presence of the ICO (and by extension other European data regulators) as a major, board level issue for all firms, not just those such as Facebook and Google in the tech industry, and

  • if not now, when? Whilst a number of large cyber incidents have been in the news in the last year the BA breach still stands out both for its scale and the profile of the company involved. There is no doubt that the majority of GDPR enforcements have been and very likely will continue to be more akin to the lower profile cases we have seen throughout Europe to date. It is easy to imagine that, were the ICO to have suggested a lower fine - perhaps in line with that imposed on Google by the CNIL - blogs such as this would be suggesting that such a fine for such a significant case indicated that the regulators were not in fact willing to use the full extent of their power. It was after all not until last year and in the shadow of the GDPR that the ICO imposed the maximum possible fine under the former regime (£500,000, on Facebook). One could have been forgiven for thinking that the ICO would display a similar degree of conservatism to its new powers. Any such notion has now been firmly disabused.

The size of the fine raises a number of issues which many companies are likely to have previously considered but are now more pressing. One of the most significant is likely to be the impact on the cyber insurance market. It is not yet clear whether BA has sought to insure against the risk of such fines, indeed the legality of such is far from clear. Regardless, while the fine is being reported as equivalent to less than 10% of its profits this is a significant financial blow to the company that cannot help but make other corporates take notice and dramatically increase the pressures being placed on chief information officers.

It is perhaps that which best encapsulates the ICO’s aim. While it is reported that BA is appealing the decision (almost regardless of the outcome of any appeal) a clear marker has been laid down to companies around the world that, a bit more from a year on from the introduction of the GDPR, they should not get too comfortable. Regardless of the eventual outcome, the ICO’s reputation as a powerful regulator has been enhanced and BA’s reputation will suffer a further significant blow. To quote the Information Commissioner back at herself (entertainingly from a 2017 blog written to try and disabuse those of the notion that the GDPR was all about heavy financial penalties), they “can’t insure against that”.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.