The Information Commissioner’s Office has issued a notice of intent to fine British Airways under the new Data Protection Act 2018 (DPA).
As supervisory authority for data protection in the UK, the ICO has the ability to penalise organisations which fail to comply with data protections laws.
In its statement, the ICO has indicated that it is seeking to fine British Airways £183.39 million. This represents almost 1.5% of the global turnover of British Airways in 2017. Whilst a significant amount, it falls short of the maximum penalty that could be imposed of 4% of global turnover. If imposed, it will be the largest penalty issued under the new DPA, far exceeding the previous statutory maximum of £500,000.
Why Penalise British Airways?
The proposed fine relates to certain infringements of the GDPR arising from a cyber incident in 2018.
Under the GDPR and DPA, an organisation which processes personal data is under a duty to implement ‘appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data”
For a public facing organisation such as British Airways which processes large quantities of critical personal data such as credit card and passport details, the risks are undoubtably higher and consequently, the highest possible level of technical security expected.
According to the ICO, hackers diverted user traffic from the British Airway’s website to a fraudulent site. This security breach involved over 500,000 customers and led to the compromise of personal data including, log in, payment card and travel booking details and names and addresses.
The serving of the notice is as a result of an investigation by the ICO as lead supervising authority in conjunction with other data protection bodies within the EU.
The amount sought is clearly a signal from the ICO that it intends to exercise its power to impose significant penalties when an organisation fails to protect personal data from loss, damage or theft, in this case, British Airways’ “poor security arrangements”.
The amount of the penalty is still to be determined. Under the DPA, before a penalty can be imposed, a notice must be served on the person or organisation concerned which sets out the details of the alleged infringement, the fact that the ICO intends to issue a penalty for the infringement and the reasons why the ICO is intending on issuing a penalty.
The organisation must be given not less than 21 days within which to provide oral or written representations. The ICO must then take into account any representations in its decision which cannot be given earlier than six months from the notice of intent. The organisation can then appeal the ICO’s decision.
In its submissions, British Airways may argue that the amount of penalty must take into account British Airways’ attempts to mitigate any loss to customers, its co-operation with the ICO and any steps it has taken to remedy the technical failures.
Not only will British Airways face a large penalty by the ICO, it could now be subject to a plethora of claims by individuals affected by the breach.
The DPA permits individuals who have suffered damage by reason of a breach of the DPA or GDPR to claim compensation for that damage which can include non-financial loss such as distress. Distress is one form of non-financial loss or “moral damages” such as damage for misuse of private information.
An organisation (either controller or processor) will not be liable to pay compensation if it is proved they are not “in any way responsible for the damage”.
British Airways has already indicated it is prepared to compensate customers for any financial loss and has offered an apology and certain non-cash benefits in what no doubt British Airways will argue is a sufficient remedy for distress.
Given the seriousness of the breach, this may be an appropriate test case for those individuals minded to make a claim for compensation for distress under the DPA.