21 October, 2020
Sky High Fine: ICO fines British Airways £20m for data breach
The Information Commissioner's Office (ICO) has fined British Airways (BA) £20m has fined British Airways - the biggest such penalty to date - for failing to protect data resulting in more than 400,000 of its customers' details being subject to a cyber-attack in 2018. However, the penalty is far less than the £183.4 million the ICO proposed in 2019.
An ICO investigation found that BA processed a significant amount of personal data without adequate security measures. These inadequacies resulted in a breach which BA failed to detect for more than two months. ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time, which would have prevented the breach.
As the breach occurred prior the UK leaving the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR's cooperation process.
The Penalty Notice issued by the ICO outlines BA's co-operation with the ICO following it becoming aware of the breach and the subsequent efforts it made to mitigate the impact of the attack on those whose data was taken. Moreover, it outlines the arguments used by BA to reduce the sum payable. BA suggested that the ICO was both unjust and disproportionate in applying a formula, which took into account global turnover to calculate the original penalty. This argument was strengthened by the fact the data breach did not result in any special category data being taken. Additionally, the initial sum appeared to be excessive when compared to other well publicised fines issued by the ICO under the higher GDPR regime.
The ICO also considered BA's current trading performance and made specific reference to the impact of the COVID-19 pandemic on the travel sector. This resulted in the amended fine being reduced from £25 million to £20 million.
While ICO has back peddled, this is still the largest fine ever issued by the ICO. It may not be the 4% of turnover which the initial penalty used, however, in the current trading conditions, £20 million is a significant outgoing for BA.
The process has highlighted the appeal mechanism available to data controllers and the potential tactics for reducing penalties. While the UK will soon be detached from the GDPR's cooperation process, the level of the fine will likely set a precedent in the UK for the coming years.
For more information contact Daniel Milnes in our Governance, Procurement & Information department via email or phone on 01254 222313. Alternatively send any question through to Forbes Solicitors via our online Contact Form.