On Friday 16th October, the Information Commissioner’s Office (ICO) announced its long awaited fine of British Airways plc (BA) for breach of the GDPR following a cyber-attack in 2018. The final fine of £20 million is the second and largest fine issued by the ICO under the GDPR.
As a quick reminder, the cyber-attack on BA compromised the sensitive financial data of over 400,000 customers and staff and was undetected for over two months.
The publication of the final fine follows extensive legal and technical submissions by BA since the original notice of intent in July 2019. The ICO had indicated in that an intention to fine BA £183.39m, so the final penalty represents a significant reduction. Whilst the ICO has found that BA had failed to have appropriate security measures in place, BA has specifically not admitted the failings identified by the ICO.
So what learnings can be taken from this?
The penalty notice provides a good checklist of the technical and organisational security measures the ICO expects organisations to have in place. Businesses should therefore assess their measures against this .
The notice also makes clear that prompt reporting to the relevant authorities and data subjects, full cooperation with regulatory and governmental bodies, and taking steps to mitigate harms to data subjects (including offering to reimburse financial loss and free credit monitoring) played a significant part in the ICO’s reduction of the fine. These findings once again emphasise the importance of businesses of having well developed and tested response plans so that incidents are escalated with the right degree of urgency.
Critically, the biggest reduction appears to have resulted from the ICO’s decision not to calculate the fine in line with its ‘Draft Internal Procedure,’ which included ‘turnover bands as a starting point for the penalty calculation’, and would have led to a much higher starting place for determining the fine.
A public consultation on the ICO’s Statutory guidance on our regulation policy was launched in October 2020. Contrary to the calculation of the final BA fine, the ICO’s proposal provides that the starting point for all fines should be turnover-based, including a matrix to that effect.
The BA fine should not therefore be taken as indicative of the level of future fines for breaches of this seriousness. Instead, future fines will be calculated in line with the Statutory Guidance, once finalised and implemented, and could lead the ICO to impose fines of the scale originally proposed against BA.
It is also worth businesses remembering that the costs of a breach of the GDPR do not stop with regulatory enforcement action. Follow on litigation from data subjects could ultimately be more costly than the regulatory fine itself. The claim brought by data subjects against BA is working its way through the court process so the final cost to BA of the data breach is not yet known.