Written by Helen Bourne and Madeleine Shanks.
The ICO announced yesterday, 8 July 2019, its intention to fine British Airways £183.39 million for infringements of the General Data Protection Regulation ("GDPR"). The fine relates to the widely publicised data breach which took place in June 2018 and was disclosed to the ICO in September last year. User traffic to the British Airways website was diverted to a fraudulent website, compromising the personal data of approximately 500,000 customers.
The ICO has indicated its investigation found that poor security measures had led to the data compromise. Information Commissioner Elizabeth Denham said in a statement that "the law is clear" in respect of personal data:
"When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
According to a statement released by IAG, British Airways' parent company, the fine represents 1.5% of British Airways' worldwide turnover for the financial year ending December 2017. The GDPR affords the ICO the power to fine companies a maximum of EUR 20 million or 4% of their total annual worldwide turnover for the preceding year, whichever is greater. The proposed fine does not therefore represent the full extent of the ICOs powers which, if exercised, could have resulted in a fine of almost £500 million.
Nevertheless, the fine will be the biggest in the ICO's history and will act as a reminder of the potentially catastrophic financial consequences of failing to protect personal data in the new era of GDPR. In comparison to the ICO's previous pre-GDPR record fine of £500,000 against Facebook following the Cambridge Analytica scandal, these figures are significant.
Willie Walsh, the chief executive of IAG has confirmed British Airways' intention to make representations to the ICO and "vigorously" defend their position, which it will have 28 days to do.
Similarly, British Airways CEO, Alex Cruz, expressed he was "surprised and disappointed" by the ICO's proposed findings and stressed that British Airways had responded quickly to the breach and had found no evidence of fraudulent activity in respect of the customer accounts compromised. In other words, that the impact of the breach had been contained and British Airways had acted expediently.
The insurability of fines pursuant to the GDPR is still open to debate; earlier this year the Global Federation of Insurance Associations called for clarity from the OECD (Organisation for Economic Cooperation and Development) on whether insurers can pay out for such fines. The OECD is in the process of conducting consultations to better understand the implications and impact of regulation on the cyber security market, which will hopefully provide the market with further guidance on this point. In the UK, the insurability of fines imposed by the ICO depends greatly on the public policy question of whether it is possible to recover for a loss which results from one's own wrongdoing. In circumstances where no "intentional wrongdoing" has been shown, the position remains less clear.
The ICO's announcement can be found here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/
We will be watching this case as it develops, with a hope to understanding further the ICO's decision and how companies and their insurers can learn from this going forwards.