[co-author: Francesco Palma]
When British Airways (“BA”) suffered a significant personal data breach in September 2018, just months after the coming into force of the EU General Data Protection Regulation (“GDPR”), all eyes were on the UK’s Information Commissioner’s Office (“ICO”). Would the ICO use the UK’s flagship airline as a “poster child” for post GDPR enforcement? Was this the moment that much-hyped fines of up to 4% of global turnover come to pass?
On 8 July 2019, the ICO announced that it had issued a notice of intention to fine BA in the amount of £183.39 million (equivalent to about 1.5% of the company’s worldwide 2018) (“Notice of Intention”). BA then had the opportunity to make representations to the ICO regarding its proposed findings and the £183.39 million fine. Despite cooperating fully with the ICO’s investigation and making improvements to its security arrangements, it has been a protracted process.
On 16 October 2020, the ICO finally published a penalty notice imposing a £20 million fine due to BA’s failure to “process the personal data of its customers in a manner that ensured the appropriate security of the data.” The fine represents an astonishing £163 million reduction from the level stated in the Notice of Intent, including a discount for cooperation and a further discount for the financial hardship suffered by BA in an industry that has been hard-hit by COVID-19.
The 114-page Penalty Notice makes for interesting reading. It provides some important insights into the ICO’s approach to assessing the appropriateness of technical and organisational measures necessary to protect personal data, and as to how the ICO deployed its enforcement powers under the GDPR and UK Data Protection Act 2018. Most readers will be familiar with the facts already, but there is a primer at the bottom of this article if you need a refresher. The Penalty Notice will no doubt be scrutinised extensively over the coming weeks, but here are five key takeaways for those who are, or might be, under investigation by the ICO.
- Use every single procedural avenue available
The ICO is a regulator like any other and must follow the Regulator’s Code, the GDPR, the DPA 2018. It also has its own Regulatory Action Policy when engaging in enforcement action.
The ICO commenced its investigation in response to BA’s notification of the attack on 6 October 2020. On 8 July the ICO announced that it had issued a Notice of Intention to Fine (“Notice of Intention”) against BA. The Notice of Intention included a proposed fine of £183.39m.
In response to the Notice of Intention, BA submitted a set of written representations. It did not, however, ask the ICO if it could make oral submissions—a procedure that can be very effective. BA’s written representations focused on i) technical arguments regarding the ICO’s assessment of the cyber security incident and BA’s security landscape, and ii) the ICO’s use of its enforcement powers. The Penalty Notice suggests that BA’s legal team adopted a thorough and well-reasoned approach to challenging the ICO, not only using data privacy and cyber security grounds but also principles of public law that apply to the ICO.
Further, BA exploited the fact that this was a complex international investigation with the ICO as the lead EU Supervisory Authority and successfully persuaded the ICO to grant it further opportunities to make submissions and representations.
BA also persuaded the ICO of the need to hear further from it on the financial impact of COVID-19 on BA’s financial position. It is unlikely to be coincidental that the ICO recently published additional guidance on how it is approaching regulation during the COVID-19 pandemic. In BA’s case, this resulted in a £4 million reduction in the level of fines.
All of these procedural and legal challenges will no doubt have impacted the level of fines ultimately faced by BA, and they demonstrate the importance of carefully considering the avenues of challenge available to BA when facing enforcement action in the privacy space.
- The journey from £183m to £20m
Many commentators are rightly focused on the substantial decrease in the level of fine from £183 million to £20 million. The ICO explains, in detail, how its Regulatory Action Policy and Article 83 of the GDPR set out a framework for the calculation of financial penalties, including:
- the nature, gravity and duration of the infringement as well as the number of data subjects affected and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
- any relevant previous infringements by the controller or processor;
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- the categories of personal data affected by the infringement; and
- whether a regulatory notified was filed.
Mysteriously, the ICO then simply states that following these considerations the penalty amount will be £30 million. The Penalty Notice then quickly moves on to state that due to BA’s cooperation with the ICO’s investigation, it will receive a 20% discount on the £30 million (down to £24 million). The ICO then goes on to acknowledge the financial impact of COVID-19 on BA and provides for a further discount of £4 million (down to £20 million).
The ICO does not, at any stage, grasp the nettle of why the headline fine dropped so significantly over the period from 8 July 2019 to now. It simply states that, following an analysis of these factors, the Commissioner has determined that a penalty of £30 million is “appropriate to reflect the seriousness of the breach and takes into account the need for the penalty to be effective proportionate and dissuasive.” Does this mean that the original proposed fine of £183.39 million was inappropriate and disproportionate and, if so, why was such a figure mooted at all? The absence of any real explanation for considering the imposition of such a substantial fine and then reducing it creates real ambiguity and uncertainty for businesses.
- Language matters – yours and theirs
This investigation appears to have been largely conducted on the basis of Written Representations and Reponses. The Penalty Notice is peppered with extracts from BA’s Written Representations, some of which will be seized upon by claimants looking to pursue BA (and those who already are) for compensatory damages following the personal breach.
The ICO’s assessment of BA’s interpretation of the event is, at times, unflattering. For example the Penalty Notice refers to BA’s statements, which the ICO says, “trivialise what was a serious failure” including reference to BA’s assertions that that credit card breaches are “an entirely commonplace phenomenon” and therefore “an unavoidable fact of life” (7.12(c)). It is hard to know if these quotes were taken out of context, but they do not read well and will no doubt support claimants’ claims.
The ICO also rejects BA’s interpretation of the likelihood of data subjects having suffered distress as “inherently unlikely”. The ICO found that consumers will be distressed upon learning about the misuse of their payment data and that data subjects could still experience distress regardless of any remedial actions taken by BA, such as reimbursement.
With UK collective actions (akin to class actions) on the rise, these statements may be problematic for BA when faced with consumer claims in the English Courts. It is a stark reminder to organisations under investigation to pay close attention to the language used in their submissions to regulators. They should always be drafted with a wider audience in mind.
- The importance of “considered cooperation”
Any business should have a good relationship with its regulator, whether data, financial, or otherwise, and that is never more important than when facing enforcement action. Historically, however, businesses appear to have taken a more laissez-faire approach to data regulators compared with other more ‘serious’, regulators.
While the ICO is a regulator and organisations have a duty to cooperate with it, especially in the wake of a personal data breach, that cooperation must be carefully considered to reflect the significant risk attached to any post-breach investigation. Missteps in the course of crisis are only too common and can easily be compounded by an enthusiasm to over-share with the regulator.
Time and again, businesses volunteer information and adopt an overly proactive and accommodating approach that only invites more questions than would have been asked. A cultural shift in the way businesses think about the data regulator is necessary if businesses are to effectively manage the risk under the new regime.
In this case, while BA cooperated with the ICO, it also engaged in push-back and challenge where necessary and appropriate. This resulted in achieving a discount for cooperation (20% of the headline fine), while at the same time reducing the headline fine. Cooperation is important, but considered cooperation is vital and striking the right balance will have material impact on enforcement outcomes.
- Enforcement does not happen in a vacuum
BA is the flag carrier airline of the United Kingdom. It is a significant national business and has suffered severe financial hardship due to the global COVID-19 pandemic. On 24 September 2020, the ICO published an “Updated regulatory approach in response to the coronavirus pandemic.”
In this document the ICO states that, when taking enforcement action, it will take into account a) whether an organisation’s non-compliance results from the coronavirus pandemic, and b) will consider the economic impact and affordability of fines—meaning the level of fines will likely be reduced.
While some will decry the reduction of the fine by a further £4 million due to the BA’s financial hardship, given the measurable impact COVID-19 has had on BA’s business operations and profitability, it is surely right for the ICO to respond pragmatically.
A Factual Snapshot
- The attacker obtained access using the credentials of a third-party contractor.
- The attacker maintained the ability to move within the system undetected between 22 June and 5 September 2018 and used low-level access to escalate privileges within the BA network.
- In addition to data exfiltration, the attacker diverted user traffic from the British Airways website to a fraudulent site, through which the attacker was able to harvest user credentials—including credit card information and other details—in real time.
- A total of 429,612 data subjects were impacted.
- The categories of personal data impacted included names, addresses, card numbers, CVV codes, PIN codes, usernames, and passwords. Of particular concern was the exposure of full unencrypted financial information.
- BA found out about the breach on 5 September 2018 and notified the ICO on 6 September 2018 (taking more than two years to get from notification to a final resolution).
- BA cooperated fully with the ICO’s investigation and made improvements to its security arrangements.