Editor's Note: In breaking GDPR news, in the closing days of October, the ICO reduced a fine against Marriott to £14.4 million, down from the initial fine of £99 million that ICO threatened in July 2020. We will report more on the Marriott fine in our next issue.
On 16 October, the Information Commissioner’s Office (ICO) fined British Airways plc (BA) a UK record £20 million for breaching the GDPR. This was closely followed by a £18.4 million fine for Marriot International for similar reasons.
In this article, we look at the factors leading to the BA fine and how the ICO calculated the amount. We will cover the Marriott fine in the next edition.
On detection, BA promptly notified the hack to the ICO and its customers and fully cooperated with an investigation. While those actions were taken into account, the ICO1 found BA had seriously failed its obligation to process the personal data of its customers in a manner ensuing appropriate security.
It is sometimes observed that the only organizations that claim not to have suffered cyberattacks are those that haven’t noticed. Given that such attacks are so prevalent, what did BA do wrong for the ICO to find it in breach of GDPR?
In this context, the standard for cybersecurity the GDPR sets is based on what is “appropriate”, not some gold-plated standard. Article 32 GDPR requires organizations to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk – taking into account the state of the art, the costs of implementation and the nature, scope and purposes of processing”. This is the standard against which BA was judged.
Features of the Event Suggesting Inadequate Security
While we do not have full technical details, some being confidential, the following features of the hack disclosed inadequacies in BA’s security:
The effect of the hack was access to personal data of some 500,000 individuals. In around 250,000, the compromised data included the name, address, card number and CVV number (card security code) of BA customers.
What Happened Afterwards?
The hack was detected in September 2018 when a third party notified BA that customer data was being sent to the rogue website. BA stopped the hack within a couple of hours and the following day notified the ICO, payment card companies plus around 500,000 customers, as required by GDPR.
The ICO investigated and, after detailed submissions and evidence, issued a Notice of Intent to fine BA £183 million in July 2019. This was followed by a 15 month period of further investigation and representations by BA, involving significant extensions to the standard six months.
Over two years after receiving the initial report, the ICO announced on 16 October that it was fining BA £20 million.
Why BA was in Breach
The ICO noted that not every hack is a breach of GDPR and that it must not reason based on hindsight. The question was whether BA’s security was adequate, taking into account the GDPR factors described above - essentially whether BA had adopted current technology and processes in the light of the costs of their implementation, the nature of its personal data processing and the risk to data subjects.
The ICO found the features of the hack demonstrated BA failed to meet this standard. In particular,
BA argued the ICO was applying an unduly high standard with the benefit of hindsight and failed to have regard to the whole of its security environment. The ICO rejected this in the light of the number of appropriate measures available to BA that an organization of its scale should have taken.
BA also argued the hack was so sophisticated that appropriate security measures would not have kept it out. The ICO found it was not so sophisticated as to negate BA’s responsibilities.
The ICO confirmed that not every breach of GDPR will result in a fine. However, a fine was appropriate for serious breaches like this one which involved:
The ICO found that an appropriate level of fine, applying the GDPR test of being “effective, proportionate and dissuasive” while taking into account the factors set out in GDPR and BA’s turnover, would have been £30 million.
That figure would be reduced by 20% owing to BA’s mitigation, such as: prompt notification and cooperation, customer assistance and implementation of remedial security measures.
This gave a figure of £24 million, which was further reduced due to the financial impact on BA of Covid -19 to £20 million. This represents around 0.16% of BA’s 2017 turnover, considerably below the 4% or 2% maximum.
BA Did Not Go Quietly
Some readers might conclude that, given the facts, BA should have accepted that a finding of breach and a significant fine was inevitable.
Nothing could be further from the truth. Adopting the aggressive stance for which the recently departed CEO of its parent company is well known, BA fought the ICO on every conceivable point. It made eleven submissions against both the decision to fine it and the amount.
All of these submissions were rejected. Many were on the ‘brave’ side, for example the argument that the ICO should have fined at the DPA 1998 level when the limit was set at £500,000 and the contention that it should not use turnover as a core quantification metric.
One point of interest was whether the maximum theoretical fine was 4% or 2% of BA’s turnover. Article 32, the specific GDPR provision on data security, is in the 2% category, while breach of Article 5, the general principles of processing including data security, carries the higher 4% maximum tariff. BA’s argument that the lower percentage applies is persuasive. Although the ICO unconvincingly maintained its position that the higher limit applied, the point was academic since the £20 million fine was well below both.
BA’s spirited approach can nevertheless be justified by its relative success in having the fine massively reduced by nearly 90% from the £183 million figure in the ICO’s 2019 Notice of Intent.
There is no real explanation of why the ICO went from £183 million to what would have been £24 million in the absence of Covid, merely a statement that it was based on BA’s representations. It seems hard to believe that these could have been so radically different from BA’s initial representations to justify such a change. It therefore seems more likely that the ICO simply changed its mind on the level of fine, perhaps fearing it would be overturned on appeal.
Viewed comparatively, the biggest GDPR fines that have been issued are €50 million and €32 million to Google and H&M by the French and Hamburg authorities respectively. Those breaches involved different factors but were arguably no less serious than BA’s, certainly with regard to intent. £20 million is more consistent with that level of penalty than the mooted £183 million.
Just after its notice of intent to fine BA, the ICO issued Marriott International with a similar notice for £99 million, again for a cybersecurity breach. As mentioned above that has just resulted in a fine of £18.4 million, another significant reduction and consistent with the BA fine.
BA has 28 days to lodge an appeal against this fine to the First-tier Tribunal. It will be interesting to see whether it carries on the fight.
Although this fine is far lower than first indicated, it is nonetheless significant and shows the GDPR has considerable teeth, which the ICO is not afraid to use.
A £20 million fine is also a salutary reminder for organizations subject to GDPR to have proper cybersecurity measures in place. The cost of taking such measures is far less than the costs of large fines, remedial action, private actions for compensation and damage to goodwill.
1 Acting as lead authority since this involved cross-border processing
2 The European Union Agency for Cybersecurity
Sign up for our newsletter and get the latest to your inbox.