David Edwards, director and head of Harrison Drury’s regulatory team, outlines the outcome of ICO’s penalty decision against British Airways after a significant data breach and reminds businesses of their responsibilities regarding data protection and management.
In 2019, David reported on the Information Commissioner’s Office (ICO) financial penalty of £183m, against British Airways (BA). On 16 October 2020, the ICO reduced the penalty to £20m. Despite being one of the largest fines issued by the ICO, there can be no doubt that BA will be breathing a sigh of relief that the original £183.39m has been significantly reduced to £20m.
What is important to note, is that it is still a substantial penalty for any business to incur, and a warning to other businesses not to be complacent about data security.
The investigation conducted by the ICO found that the airline was processing a significant amount of personal data without adequate security measures in place, which in turn, was alleged to have resulted in unauthorised access to personal and payment card information relating to more than 400,000 of its customers. The cyber-attack went undetected for more than two months. The data accessed included:
- Names and addresses of around 244,000 BA customers
- Payment card numbers belonging to customers
- CVV numbers
- Usernames and passwords of BA employee and administrator accounts
- Usernames and pin numbers of up to 612 BA Executive Club accounts accessed.
The penalty notice issued by the ICO to BA in 2019 identified numerous failings and missed opportunities to improve data security. It is worth noting, at this point, that as soon as BA were aware of the cyber-attack and data breach, they did act promptly and notified the ICO.
It is some 15 months since the ICO issued BA with a Notice of Intent. BA has now secured a very hefty fine reduction of £163m, following consideration of various factors, and with the ICO adopting a more granular approach to the question.
COVID-19 pandemic offers no excuse for leniency or complacency
It is easy to conclude that the significant reduction in the penalty to BA might have been applied to reflect the continued economy pressures on the airline caused by the COVID-19 pandemic.
However, closer inspection of the ICO’s penalty notice reveals that the ICO applied a discount of only £4m to reflect the impact of COVID-19, making it clear that organisations should not expect significant regulatory leniency during these difficult times.
In determining the level of the fine, the ICO took into account various mitigation factors, which accounted for a further reduction of £6m.
These factors include:
- BA acting promptly to mitigate the potential risk of damage suffered by the data subjects, by issuing a press release to 5,000 journalists and commentators.
- BA notifying the FCA and other regulatory and governmental bodies in the aftermath of the cyber-attack, including: The UK Police, the Civil Aviation Authority, HMRC, Department of Transport, the National Crime Agency and the National Cyber Security Centre.
- BA also offered to reimburse all customers who had suffered financial losses as a direct result of the theft of their card details.
Factors taken into account in line with the GDPR
The ICO also deducted a further £30m after some consideration of the following factors, in accordance with Article 83 (2) GDPR:
- the nature, gravity and duration of the infringement – the ICO considered the failings to be serious affecting a number of individuals for 103 days. The Commissioner confirmed that there were multiple measures that BA could have put in place that would have prevented, or mitigated the cyber-attack;
- intentional or negligent character of the infringement – although the breach was not intentional, the ICO found that BA had been negligent (within the meaning of Article 83(2)(b) GDPR);
- any action taken by BA to mitigate the damage suffered by data subjects – the Commissioner considered this point carefully and concluded that it makes no difference to the ultimate decision on what, if any, penalty to impose whether the action taken by BA to mitigate the damage is taken into account at this stage;
- degree of responsibility – the ICO found BA fully responsible for the data breaches, furthermore, BA are under an obligation to have in place appropriate safeguard measures;
- relevant previous infringements – BA had no relevant previous infringements;
- degree of cooperation – BA cooperated fully with the ICO’s investigation;
- categories of personal data affected – although no special categories of data were affected the nature of the data remains sensitive, including 77,000 of customers who had their card data compromised;
- manner in which the infringement became known to the ICO – BA acted promptly in notifying the Commissioner of the cyber-attack and thereby complied with its obligations in this respect;
- previous measures referred to in Article 58(2) have been ordered against BA;
- adherence to approve codes of conduct;
- any other aggravating or mitigating factors applicable.
There is no further guidance or explanation available on the additional £123m which the ICO deducted from the initial £183m, other than consideration on the legal framework, the circumstances of the failure and the personal data involved in the failure.
Further fines to be implemented by the ICO
The ICO issued a notice of intent to fine Marriott International Inc £99m in July 2019, but has not yet confirmed the level of the resulting fine. Attention will be focused on the ICO’s proceedings against Marriott, particularly as there are obvious similarities to BA concerning cyber-attacks and data breaches. Marriott International may feel at ease following BA’s reduction in fines, however, as highlighted above, only a small proportion of the fine reduction was specifically assigned to the COVID-19 pandemic. Therefore, it remains to be seen how the ICO’s recent fine will impact the outcome of the Marriott case.
Importance of having compliant data policies and practices in place
What can be confidently said is that businesses of all sizes must continue to proactively grip their responsibilities over data protection and management, and seek to ensure that compliance and transparent policies, procedures, and practices are in place.
What can also be said, with equal force, is that in the event of a breach, such policies and practices will affect the speed with which the issue can be identified, rectified, and in relevant circumstances, reported – the BA case materially demonstrates the significant financial benefit that this approach can have.
If you wish to discuss any issues raised in this article or concerning your business’s data compliance and policies, please contact Harrison Drury’s regulatory team on 01772 258321.