On 16 October the UK Information Commissioner (ICO) confirmed that it had imposed a fine of £20m on British Airways (BA) for infringing the GDPR by failing to protect the personal data of approximately 400,000 of its customers following a data breach in 2018.
The fine is the highest ever imposed by the ICO, with the previous record being £500,000 in 2018 for two separate infringements of the now superseded Data Protection Act 1998.
The breach originated as a result of an attacker gaining access to the BA internal network through the use of compromised credentials obtained from a third party vendor. This access allowed the attacker to install malicious code on the BA website, which was used to exfiltrate customer data including credit card numbers, names and addresses.
While much of the coverage of the announcement has focused on the significant reduction of the fine from the £183m originally announced last year, there are a number of more fundamental conclusions which can be drawn from the decision which are important for organisations to be aware of.
In its defence, BA argued that it could not be held responsible for the activity of organised criminals who were involved in the attack. The ICO disagreed, emphasising that the reason for sanctioning BA was not because a personal data breach occurred per se, but due to the failures of the company to take appropriate technical and organisational security measures to protect the personal data of its customers in the first instance.
This is a significant distinction for organisations to note. It means that while being prepared to respond to a breach and taking immediate steps to mitigate the damage caused by a data incident are important, this may not be sufficient to prevent sanctions being imposed.
Taking the ICO's rationale for the sanction into account, the key focus for organisations should be ensuring that robust information security measures are adopted and maintained to prevent a personal data breach. In-house legal and compliance teams need to be involved in not only setting appropriate policies and standards to protect data, but also working in close coordination with the information security team in ensuring that:
For organisations that process significant amounts of personal data, the decision offers some useful guidance on the scope of the security measures that the ICO is likely to consider necessary.
Firstly, in interpreting the Article 32 requirement, the ICO went beyond its own regulatory guidance, making extensive references to industry standards and technical guidance issued by various third parties when evaluating the failures that it found BA to have committed.
It also took a broad approach to assessing the circumstances under which Article 32 applies. The ICO rejected BA's argument that the obligation to take appropriate technical and organisational measures only applied to systems which process personal data. This means that organisations need to apply the same regulatory standard to all aspects of their network which could pose a threat and result in a personal data breach being committed.
Finally, there were a number of technical measures which were highlighted as being insufficient within BA. While the gaps identified here are specific to the case, they provide a useful insight into the regulator's expectations. They include:
While the sanction was imposed due to security failures that existed before the incident, the steps the airline took in its response resulted in the fine being reduced by £6m (a 20% discount). These steps included the prompt notification of data subjects, regulators and law enforcement, BA's full cooperation with the ICO during the investigation, the offer to reimburse customers who suffered financial losses and the remediations that have since been taken to improve security. This reinforces the importance of organisations who suffer a data breach taking immediate action in responding to the incident, being co-operative with regulators and taking proactive steps to mitigate the damage caused to affected data subjects.
In practical terms and given the specific notification obligations set out in the GDPR, knowing how to react in the immediate aftermath of a data security incident is key. As more and more jurisdictions around the world introduce mandatory data breach notifications, making the right call in terms of who, when and how to notify is likely to have a direct effect on the enforcement approach adopted by regulators.
It is also important to note the mitigations which the ICO did not consider to be relevant in considering quantum. It dismissed the significance of the criminal nature of the incident and held that while no data subjects were known to have suffered any pecuniary damage this was not a pre-condition for imposing a fine.
Following the ICO issuing its notice of intent in 2019, BA challenged the basis on which the authority had calculated the £183m fine that it sought to impose. Amongst its arguments was that the use of an unpublished draft internal procedure by the ICO to provide a guide on quantum, with reference to the turnover of the controller, was unlawful. This resulted in the ICO changing the way in which it calculated the fine and is provided as one of the primary reasons for why the amount was reduced to £20m.
The change in the ICO's methodology resulted in the fine being calculated with reference to the authority's external Regulatory Action Policy and the additional factors outlined in Article 83(2) GDPR. This provides welcome clarity on the basis for which future fines should also be calculated.