The British Airways data breach

The Information Commissioner’s Office (ICO) has given notice yesterday (Monday 8 July 2019) that it intends to fine British Airways over £183 million, for infringements of the General Data Protection Regulation (GDPR).

The potential fine relates to a cyber incident in 2018, part of which involved user traffic to the BA website being diverted to a fraudulent site. This resulted in customer details being harvested by the cyber attackers. It is estimated that about 500,000 customers’ personal data were compromised.

The ICO’s statement states that its investigation found “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well [as] name and address information.” It also states that BA has co-operated with the investigation and made improvements to its security arrangements.

 

It is worth noting that a notice of intention does not necessarily mean this will be the end result. Following this notice, BA has 28 days to appeal (which it is reportedly intending to do). Representations may also be made by the other EU data protection authorities in territories where residents have been affected by the data breach.

However, if BA does end up being fined this amount, it will be the largest fine the ICO has issued, and by some considerable margin – the previous record was the £500,000 fine imposed on Facebook in relation to Cambridge Analytica under the Data Protection Act 1998.

What does it mean for your organisation?

There are two levels of administrative fine under the GDPR, with the highest being €20 million or 4% of annual global turnover (whichever is greater). A potential fine of £183 million must therefore have been calculated as a percentage of BA’s annual global turnover. This is likely to be considerably higher than the maximum fine that could be imposed on a start-up or SME, but it shows that the ICO means business in enforcing the GDPR.

Integrity and confidentiality (security) is one of the GDPR’s key principles, non-compliance with which can incur the highest level of fine. This requires businesses and other organisations to maintain appropriate technical and organisational measures to ensure they are processing personal data in a secure manner.

That all sounds very vague, and to a certain extent it is – there is no specific required level of security under the GDPR. Businesses need to determine the appropriate level based on the risks involved in their processing, the state of the art, and any costs of implementation. Technical measures include both physical measures (e.g. controlling access to your premises) and IT security (e.g. controlling access to personal data within your IT systems). A formal policy document (either as part of your internal data protection policy or separately) would help to demonstrate you are taking steps to maintain appropriate security measures. It is important to ensure that your policy and practices match up, which means that your policies need to be reviewed regularly and updated where appropriate.

Data processing agreements, and other contracts that deal with data processing arrangements, must include provisions requiring data processors to implement appropriate technical and organisational measures. Depending on the type(s) and quantity of personal data involved, you may wish (or need) to include more detailed provisions covering any particular security measures required. As a controller this ensures that your processors meet the standards you require. As a processor this can be equally important, as it gives you certainty about what your controllers consider to be “appropriate” in the context of the data they are providing you with which, in many cases, it might otherwise be difficult for you to assess. If a data processor breaches the GDPR, the ICO (or other relevant EEA authority) could pursue the data controller and/or the data processor. Your contract could be vitally important in apportioning liability in the event of a breach.