BA fine shows “wait and see” period is over


The ICO’s intention to impose BA with a mammoth fine leaves UK companies in no doubt over how seriously to take GDPR compliance, experts say.

News broke this week of the UK regulator’s aim to make BA pay a £183 million (€205m) penalty for a data breach which hit the company last year.

Between 21st August and 5th September 2018, hackers broke through the airline’s cyber-security defences to gain access to passengers’ names, email addresses and credit card details.

BA has highlighted its rapid response to what it described as a “sophisticated, malicious criminal attack” which affected half-a-million of the firm’s customers. The iconic British carrier also underlined how no evidence exists to suggest that fraudulent activity has taken place on accounts associated with the stolen data.

But the ICO remains unmoved by BA’s protestations, having discovered “poor security arrangements” at the company.

As reported by The Irish Times, Information Commissioner, Elizabeth Denham, said:

“When you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Jo Blazey, Global Data Governance Officer, at Commvault, said:

“This announcement is a stark reminder for any company which has been hoping that large GDPR fines are not going to materialise, of the importance of ensuring that personal data is appropriately used, managed and secured throughout its lifecycle.

“While the announcement amounts to an intention to fine and BA will have a chance to dispute ICO’s findings, it sends a clear message that the ICO is willing to flex its GDPR muscles where it considers companies are not taking data protection seriously enough,” she added.

Rob Dallison, Associate VP at risk management specialists, SAI Global. described how the ICO’s stance sends out a clear signal to British companies regarding the need to drive resources into practices that uphold the GDPR.

“Compliance with GDPR requires significant investment, and many UK companies have preferred to wait and see how the ICO will interpret the regulation before investing the funds, time and resources required to become fully GDPR compliant,” Mr Dallison said.

“For those UK firms who have been waiting for a yardstick to measure their exposure to GDPR penalties, the time for ‘wait and see’ is over. They now have some key data points to assess the financial risk attached to a breach of GDPR, and to make their investment decisions accordingly,” he added.

PrivSec Report spoke with Sagi Leizerov, PhD, VP, Enterprise Privacy Solutions at Dataguise, who elaborated on the rationale of the UK regulator in its reaction to the breach.

“The action by the ICO should not be interpreted to mean that under the GDPR, when a company gets breached it is going to be hit twice – once by the criminals and then by the regulator, Mr Leizerov said.

“Getting breached on its own is not a violation; it’s what the breached company did before, during and after the breach that regulators are interested in. In the case of BA, the conditions that allowed the breach to happen (i.e., before the breach) seem to be at the heart of the large fine.

“When the ICO says it found BA to have “poor security arrangements” in place to protect the personal information of its customers, it is talking about proportionality, effectiveness and due diligence; these management considerations would not necessarily apply to the next company the ICO investigates following a breach,” Mr Leizerov continued.

“The ICO case against BA is an indication that the most impactful change introduced by the GDPR is its breach notification requirement. Incidents such as this have been happening for years and very often kept in the dark.

“Breach notification provides customers with the transparency they deserve about how their data is being treated, and provides companies the incentive to invest in protecting that data so they don’t have to explain themselves to their customers in the first place,” he added.

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.