Following a significant data breach that directly impacted British Airways in September 2018, questions have arisen regarding liability, recovery, and next steps for both the company and for the nearly 500,000 affected customers. This breach led to the theft of customers’ personal and financial data from August 21stthrough September 5th, 2018, exfiltrated through the company’s website and mobile app. This was a targeted attack executed via an online “payment transactions” vendor. Chalk this one up as another instance of cyber vulnerabilities in the supply chain. Fortunately for British Airways customers, phone numbers, which are input at another point of the booking process, were not compromised.
A subsequent ruling issued by the United Kingdom’s International Commissioner’s Office (ICO) attempted to address many of these questions and confront the difficult task of attribution for this breach. The resulting decision was a landmark fine of €183 million (or $205M) against British Airways, setting a new record for data breach penalties. ICO justified the penalty under the auspices of the European Union (EU) General Data Protection Regulation (GDPR), a 2018 statute. The execution of this fine is contingent on either the expiration of the 28-day window British Airways has to appeal the ruling, or a failed attempt to do so.
What, then, does this incident and the subsequent fine mean for other businesses, large and small?
The ICO’s ruling places accountability for data breaches squarely at the feet of businesses and their leadership. Previously, the largest fine ever issued was €500,000. A ruling by the European Union has allowed for fines of up to 4% of a company’s global revenue. The British Airways fine, while record setting, accounts for less than half of the limit the ICO is allowed to administer, at 1.5% of their global revenue.
Because the penalty policy is percentage based, businesses of all sizes are incentivized to allocate funds to cyber resilience and prevention. It further demonstrates to companies that the cost of strengthening their infrastructure and supply chains and reducing the risk of a cyber breach pales in comparison to the financial and reputational damage that a data breach would result in, removing any uncertainty as to whether cybersecurity initiatives are worth investing in.
This severe enforcement action stems from shifting regulatory policies, which lean towards heavy sanctions against any company not taking the necessary steps to protect third party users’ information in the event of a breach.
One of the commission members, Elizabeth Denham, stated: “People’s personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear- when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Taking the necessary steps to identify, prioritize, and mitigate cyber risks that can impact a business’ revenue, reputation and customer data will not only protect operational capacity, but also shield it from paying a percentage of revenue towards fines. Foundational best cyber practices, despite their near-term expense, will almost certainly yield large dividends down the road as online criminals target the most vulnerable, continuously finding new ways to disrupt business operations and steal all types of data. Pragmatic businesses are taking a proactive approach to mitigating the risk of cybercrime and fraud, thereby protecting and retaining their customers and investors.
Other Helpful Resources: