The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of its customers. The failures themselves amounted to breaches of data protection law but also meant that, when BA was hit by a cyber-attack in 2018, the attack went undetected for two months and the attacker was able to compromise the data of over 400,000 customers.
The ICO acknowledged that BA acted quickly and appropriately once the breach was discovered. However, BA ought to have identified and resolved the security measures as part of its general compliance and, had it done so, an attack of this type could have been avoided. The ICO rejected BA’s argument that the attackers were primarily responsible for the breaches as the breaches related to BA’s failure to comply with its obligations to put in place appropriate security measures. The deficiencies in BA’s systems had clearly been present for some time and the ICO considered that BA had failed to meet several key obligations, including the use of privacy by design. This is a serious reminder of the importance of having robust compliance and review measures in place to ensure systems are up to date and not waiting to respond to a breach.
Whilst the £20m fine is the highest GDPR-related fine issued in the UK to date, it is interesting to note that this has been substantially revised from the £183m initially proposed by the ICO last year. The ICO notes that, but for the Covid-19 Policy which allows it to take account of the impacts of the pandemic, the original fine would have been £24m. This is still significantly less that the maximum possible fine of 4% of an undertaking’s turnover, and indeed considerably less than 1% of BA’s worldwide annual turnover.
The reduction from the initial proposed fine is of interest, particularly given that this breach was considered to be particularly serious in both size and consequence for the affected individuals. We will continue to watch how developments in this area play out, particularly in respect of the quantum of the intended Marriott fine and whether that will also be reduced (the ICO issued a notice of its intention to fine Marriott International £99,200,396 in July 2019). The fine is still a significant amount and, in what is their first material GDPR-related fine, represents a serious statement of intent from the ICO for its enforcement position going forward.