It’s not surprising that the world is focussing on the potential British Airways fine this week. This is the first substantial notice actioned by the ICO under the new data protection regulations (GDPR & DPA 2018).
Fact: It is a record fine (if it proceeds at this amount).
Fact: It was a sophisticated cyber security breach.
Fact: The UK’s ICO was working with other EU regulators to investigate this.
Fact: A significant number of customer records, 500k according to the ICO statement, were diverted by the criminals who carried out this attack. The Telegraph reported in September 2018, at the time of the attack, that 380,000 payments transactions were violated.
But, the fine whilst important as a gauge for the new rates of financial levies, is not the core issue here. Once again, a large, well established company has allowed individual’s personal data to be compromised.
We await their response to the notification of the ICO intended action.
Will trust in BA be affected?
Do we think customer trust in BA will be impacted? No, probably not in the long term. History shows that such breaches only tend to result in a temporary dip in shareholder value. Although brand reputation will take a hit.
It would appear that most of the customers affected were not targeted financially post hack, and we’re aware that customers were offered a 2-year paid subscription to Experian’s Protect myID in compensation. Was this a little bit of “closing the stable door after the horse has bolted”? However, due to the lack of any significant personal impact, improvement measures to protect online transactions may be enough to keep the faith of the customers.
BA has updated their security provisions and discussed alternatives to provide security services. BA actively reported the breach and continue to work with the ICO to fulfil the investigation.
The debate across social media and privacy practitioner forums regarding the size of the intended fine will rage on until its decided whether it is proportionate, as laid out in Chapter VIII, Article 83 of the GDPR, as the ICO are acting as the lead supervisory authority under the ‘one stop shop’ provision.
From seeing the amount of the BA fine, their actions taken to mitigate the risks to data subjects, as well as their cooperation with the ICO, it would appear some pretty severe negligence must have been in play.
If this is the potential scale of fines for a data breach, which involved a criminal act from an external force, what will be the consequences be for organisations who knowingly (or even unknowingly) process customers’ personal data for a purpose outside of the customer’s awareness? Or where the correct lawful basis or consent isn’t established?
The data controller is responsible for these operational factors and it will be interesting to see how data misuse cases like these develop. We are curious to hear the readers thoughts on this.