In June, BCLP hosted a high profile data breach seminar, in which industry specialists, the ICO’s Head of Investigations, a former convicted hacker and BCLP’s data breach team came together to conduct a mock data breach exercise and discuss issues that arise when firms are hit by a data breach in the current enforcement climate. During the seminar we asked our audience, made up of Execs, CISOs, DPOs, lawyers and other professionals, a number of questions about their own approach to data breaches. Over the coming weeks we will be discussing some of the notable points that arose out of the answers to those questions.
The seminar highlighted the tension inherent in many breaches – what information do you disclose when forced to publicly announce a breach while your investigation is ongoing? One business which recently encountered this dilemma and may face a fine, in part, as result of its decision is British Airways.
On 8 July 2019, British Airways announced that the ICO intended to fine it £183m for breaches of data protection law, following a cyber security incident in August and September 2018.
British Airways stated it was defending itself vigorously following the initial finding and will be making representations to the ICO. When the ICO does publish its final decision, we expect to have a fuller picture of what actually happened, and whether or not the way in which British Airways responded when it first came to know of the breach may have fed into the level of the proposed fine.
British Airways initially announced on 6 September 2018 that 382,000 transactions carried out via its website and app between 21 August and 5 September had been compromised, and that it had begun contacting customers the moment it became aware of that breach. Yet by the end of October 2018 the picture had changed – of those initial 382,000 transactions, apparently only 244,000 were affected, but British Airways had now identified about 185,000 more compromised transactions. Of those, some transactions potentially involved the additional compromise of the CVV number on the payment card used.
The result is that some individuals received a notification which may ultimately have been unnecessary, while others whose data security had been compromised may only have found out much later.
The legal (and arguably moral) requirement to tell customers about a problem is paramount, but sometimes an announcement in the moment can be inaccurate, and can either cause concern where none is required, or vice versa. There will also always be a conflicting impetus to minimise negative PR by controlling the message while not disseminating inaccurate information. One practical tip with early announcements and notifications is to avoid being too definitive or specific as to the extent of the impact when the situation is still prone to change.
Those inherent dilemmas were shown clearly by the audience survey taken at our data breach seminar. When asked how they would handle public notifications when knowledge of a data breach was unfolding but they hadn’t yet confirmed the scope of the personal data that had been compromised, our audience was split:
- 38% stated they would notify all of the individuals whose date they held;
- 26% said they would contact only those whose data at that time they thought may have been compromised; but
- 36% said they would not make a notification to individuals at all at that point.
So British Airways may not be alone in grappling with the conflicting tensions of protecting their customers and complying with the law around notifications before its investigation is complete. Making defensible decisions and doing the best for customers requires a clear incident security plan and access to a team of professionals to provide a steady hand in tense moments.