BA’s jumbo fine significantly reduced

Background

In 2018, we reported BA’s systems were hacked by a malicious attacker and hundreds of thousands of data subjects’ data (including names, addresses, payment card numbers and CVV numbers) had been compromised. We then reported that after the ICO’s initial assessment, an interim fine of £183m was proposed – which would have been the largest fine yet issued under the GDPR. However this now seems to have been significantly reduced.

Assessing the level of fine

The question on everyone’s lips is what was taken into account by the ICO when re-evaluating the level of fine. The 114 page monetary penalty notice setting out in detail the steps taken by the ICO in coming to its decision is certainly not a quick read. However, it appears that the following factored heavily in the ICO’s decision to reduce the fine from the level it originally intended:

1. BA did not gain financially as a result of the breach;

2. The breach was not deliberate;

3. BA had no relevant previous infringements or failures to comply with past notices;

4. BA had fully cooperated with the investigation;

5. No ‘special category’ data was affected; and

6. BA acted promptly when notifying the ICO.

According to the ICO these features would have resulted in a £30m penalty. This was then further adjusted to take into account the following mitigating factors:

7. Immediate remedial action was taken to all of BA’s customers;

8. BA’s brand and reputation was adversely affected; and

9. Reporting of the incident will have increased awareness of the necessity for other data controllers to comply with the GDPR.

Altogether, these mitigating factors would have resulted in a fine of £24m.

Finally, it seems that the impact of the Covid pandemic also played a part in re-evaluation of the fine as the fine was reduced by a further £4m leaving a total fine of £20m.

While the impact of the pandemic was one factor (which the ICO invited BA to make representations about), it is by no means the main factor that was taken into account (which is contrary to a number of reports currently circulating).

Instead, the ICO’s decision to materially reduce the fine seems to have stemmed from BA’s criticisms of the ICO’s reliance on a turnover-based approach to setting fines. Rather than focussing on the turnover of a data controller, this decision indicates that, in future, the ICO will consider a range of relevant factors (such as those set out above). From the perspective of assessing the ICO’s approach to fines, this will be a relief for many large business, though the impact on smaller data controllers is yet to be seen. We can also not rule out other EU regulators adopting a more aggressive stance when it comes to issuing fines, particularly if recent decisions coming out of Germany are anything to go by. Finally we need to be mindful of the rise of class actions which are always likely to be hovering in the background (see below).

How the fine could have been avoided

Despite the long list of mitigating factors, the ICO were clear that BA had failed in their obligations to properly protect data subjects’ data. Elizabeth Denham, the Information Commissioner, set out that: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Issues specific to BA that the ICO considered when setting the fine were:

1. Access to applications, data and tools were not limited to those required to fulfil their role;

2. The business’ systems had not been rigorously tested for cyber-attacks;

3. Multi-factor authentication had not been put in place; and

4. BA only found out about the attack when they were alerted two months’ later by a third party.

The ICO found that measures could have been taken that would not have incurred excessive cost and that did not impose technical barriers. Some were already available to BA through their use of the Microsoft Operating System.

What can we do?

The lesson here is clear – simple steps could have been taken to avoid, or mitigate, the breach that BA suffered. Data controllers should use this opportunity to ensure that:

1. data security measures are adequate, ensuring that systems are tested for cyber-attacks and multi-factor authentication is put in place where necessary;

2. access to data is strictly limited to those people within the business who have a need for such access;

3. where a breach is discovered, the ICO should be informed as soon as possible (where necessary) and co-operated with during any subsequent investigation; and

4. remedial steps are offered to data subjects as soon as possible (e.g. the offer to reimburse any financial losses resulting from the attack and making available a free credit-monitoring service where appropriate.

Class action lawsuits

While the reduction in the level of fine will be a piece of welcome news for BA, the fact remains that the ICO have issued a very lengthy judgment setting out myriad ways in which BA have failed to keep data secure. While the fine that has been imposed may seem lenient following the initial proposal, this may be just the opening chapter in a longer story.

In October 2019 Mr Justice Warby granted a group litigation order paving the way for a mass legal action against BA. While BA may have seen the end of action by the regulator, the ICO has found BA to have been in breach of their obligations, leaving a very large group of claimants in a strong position to receive some level of compensation.

The bringing of class action lawsuits following data breaches á la BA, Easyjet, and TalkTalk seems to be becoming de rigeur and an easy way for disgruntled data subjects to receive some compensation.

Given this type of litigation is clearly on the rise and has the potential to dwarf the fines issued by regulators, we are hosting a webinar where we will be exploring the ways in which class actions are brought, looking at learnings from recent cases, and discussing tactics to avoid being on the receiving end of them. For more information and to register, click here.