The Information Commissioner’s Office (ICO) is set to impose a record financial penalty, of £183m, against British Airways (BA) for last year’s breach to its security systems. David Edwards, head of Harrison Drury’s Regulatory team, examines what happened.
The General Data Protection Regulations and Data Protection Act 2018 (collectively known as the “data protection framework”) came into effect last year and provided a much-needed Data Protection legislation update.
Importantly, the framework imposes a duty on all organisations to ensure they have robust breach detection, investigation and internal reporting procedures in place; coupled with the duty to report certain types of personal data breach to the relevant supervisory authority, i.e. the ICO, within 72 hours of becoming aware of the breach, where feasible.
The ICO has disclosed that in June 2018, internet hackers compromised the British Airways website by managing to divert approximately 500,000 customers to their own fraudulent site, stealing data from thousands of customers in the process. Not only were name and address information compromised, but credit card details including card numbers, expiry dates and three-digit CVV codes were stolen by the hackers.
Critically, Information Commissioner, Elizabeth Denham, stated: “When an organisation fails to protect [personal data] from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Although BA has not revealed any technical details about the breach, the organisation has co-operated with the ICO during this investigation and made improvements to its security arrangements since these events came to light.
What penalties can the ICO impose?
Until the new data protection framework came in, the biggest penalty the ICO imposed upon an organisation was £500,000 against Facebook for its role in the Cambridge Analytica data scandal. Now, under the new data protection framework, the ICO can impose fines of up to whichever is greater between 20 million Euros or 4% of group worldwide turnover.
In this case, the proposed fine against British Airways (BA), will only amount to 1.5% of its turnover in 2017. Nonetheless, this will be a significant financial hit upon BA.
What should we do to protect our customers and their personal data?
At first glance, personal data breaches, or even GDPR as a whole, may appear to smaller to medium sized businesses to be something which they needn’t worry about. However, this is not the case and we would strongly urge organisations to take steps, as soon as possible, to ensure Data Protection compliance.
The security principle embedded within the data protection framework goes beyond the way organisations store or transmit information. Every aspect of their processing of personal data is regulated not just cybersecurity.
Although the GDPR does not specify what security measures need to be in place, it is clear that both organisation and technical policies and procedures will need to be properly examined and implemented, in order to properly protect the personal data that they handle and process.
If you would like further information about GDPR for your organisation, or would like further advice on personal data breaches, please contact our Regulatory team.