British Airways data breach fine reduced to £20m
The Information Commissioner’s Office fined British Airways £20m for a two-month cyberattack that stole the details of more than 400,000 customer details. Bill Mew looks at the implications of one of the UK’s biggest corporate data breaches.
On Friday (26 October), the UK Information Commissioner’s Office (ICO) slashed the fine it had levied on British Airways (BA) by almost 90%. For “unacceptable” violations of the general data protection regulation (GDPR), BA will now have to pay just £20m instead of the original £183.39m fine announced last July.
When GDPR first came into force in May 2018, most of the headlines focused on the size of the potential fines. These can be anything up to a maximum fine of €20m (about £18m) or 4% of annual global turnover (whichever is greater) for each infringement.
Where regulation and responsibility had previously failed to give rise to any real change in data protection habits, the ICO decided that fear and fines might have more effect. Until now, however, nobody really knew what the actual benchmark would be for regulatory enforcement or what kinds of infringements would warrant the maximum fines.
The ICO first two big fines against British Airways (BA) and hotel chain Marriott gave us the answer. In BA’s case, it was almost £200m, while Marriott was fined nearly £100m.
Both organisations immediately appealed. BA and Marriott have been hit hard by the pandemic, so some leniency was expected. But few believed the airline’s fine would be reduced to as little as £20m. This is still the largest fine that the UK’s data privacy regulator has handed out, but the question is, why was the fine lowered so much and what does this mean for others?
Lessons to be learned
BA questioned many aspects of the investigation. It claimed the actual harm caused by the breach was minimal and pointed to much lower fines handed out by EU supervisory authorities for similar breaches.
The 90% reduction suggests that challenging the ICO’s decisions is worth trying – and many observers are now expecting a similar reduction to Marriott’s fine.
Such reductions could be seen as a pragmatic way to deal with the hard-hit tourism sector or, in BA’s case, as recognition for the steps it took to remedy its problems (or both). But a reduction of this magnitude calls into question whether regulatory enforcement of GDPR is still an effective threat.
From regulation to litigation
With the ICO’s penalty resolved, the focus has naturally switched to civil litigation, where we have seen some eye-watering claims.
BA was sanctioned for its failure to protect the personal and financial details of more than 400,000 customers. A few months later, Easyjet was hit by what is thought to be the same hacking gang using the same tools. Not only had Easyjet failed to learn from BA’s mistakes, but its failure was far greater, exposing the personal details of 9m customers.
Both airlines now face claims from those affected, but the Easyjet claim for £2,000 each represents a potential total of £18bn – the largest such claim in UK legal history.
The Lloyd vs Google case set a precedent for opt-out class actions for privacy breaches. The case is currently being appealed, but if upheld by UK Supreme Court in April next year, it is expected to open the flood gates to a massive wave of claims.
In addition to PGMBM’s data breach claim against Easyjet, pioneers of non-privacy representative action Your Lawyers have also claimed against Virgin Media. Your Lawyers also brought a similar case against Volkswagen.
Pending the final Lloyd vs Google ruling, many other law firms are gearing up to bring claims. With a statute of limitations of six years, any firm that has experienced a recent breach, or one yet to be disclosed, should be very worried.
Where does this leave us?
While some pieces of the puzzle are visible, a few more pieces need to fall into place before we will know for sure.
- Regulators have more sanctions than just fines: The ICO can withdraw an organisation’s rights to process personal data – as the EU has done recently with Facebook. When the EU/US data-sharing Privacy Shield was overturned in the EU high court, evidence revealed that Facebook had been transferring data to the US illegally. Changing its processes to comply correctly with EU law will be so challenging for the social media giant that it has even threatened to cease operations in Europe entirely.
- Brexit – equivalence between the UK and the EU: At the end of the year, we will know whether the UK has secured a Brexit deal and whether the EU will recognise the UK for its data adequacy under GDPR. If we fail to pass that test the UK will become a data island and its regulatory structure will start to diverge from the continent. Alternatively, if we do secure agreement, then we will need to maintain a level of equivalence that will be led by European case law and regulations.
- Final ruling on representative actions: The Lloyd vs Google appeal is due to be heard by the UK Supreme Court in April next year. If the original ruling is not overturned on appeal, then class action privacy claims will start flowing.
While a reduction in regulatory fines, especially one of 90%, will be welcomed, it represents little compensation when you consider the number and sizes of the potential representative actions that could be brought. Maybe this means that enforcement will be left more to the lawyers than the regulators.
So how much is our data worth? This will be decided over the next few months with a whole series of claims and appeals as precedents are set by both regulators and lawyers. It will be fascinating to watch and will be exceedingly expensive for some of those involved. My guess is that the lawyers won’t do too badly whatever the outcome.
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...