British Airways Ultimately Fined £20m For Personal Data Breach By The UK ICO Under The GDPR (reduced From £183.39m) – Privacy

The UK Information Commissioner’s Office (“ICO”)
announced on 16 October 2020 that it has ultimately decided to fine
British Airways (“BA”) £20 million for BA’s
contraventions of the General Data Protection Regulation
(“GDPR”) associated with the personal data breach BA
first disclosed on 6 September 2018, which affected the personal
data of over 400,000 customers and staff. This final amount is a
substantial reduction from the £183.39 million fine the ICO
first announced it intended to issue in its notice
of intent in July 2019 (the “Initial Notice”), although
the fine still remains a significant sum and the largest issued by
the ICO to date under the GDPR.

The £20 million fine is approximately 0.16% BA’s
worldwide annual turnover for the year ending on 31 December 2017
(approximately £12.23 billion), coming well under the maximum
4% fine that could have been issued by the ICO using its powers
under the GDPR (a £183.39m fine would have been just under
1.5% of BA’s worldwide annual turnover in that year). 
Before reducing the fine, as part of the lengthy process undertaken
by the ICO, the ICO explained that it considered both
representations from BA and the economic impact of COVID-19 on
BA’s business before setting the final penalty.

Notwithstanding the significance of the fine ultimately issued
against BA, the scale of the reduction of the fine and the length
of time the ICO took deliberate over it suggests that challenges
made to delay and reduce the imposition of large GDPR fines stand a
reasonable likelihood of success and are more likely to occur in
the future.

Interestingly, the fine has been recalculated without reference
to the Initial Notice following representations from BA.  In
its response to the Initial Notice proposing the £183.39m
fine, BA had alleged that the ICO had misapplied its powers under
the GDPR and had unlawfully applied its regulatory action policy
(including by reference to an unpublished draft internal procedure)
when calculating and imposing the initial fine.  In its
ultimate decision, while rejecting BA’s arguments, the ICO
explained that it had dispensed with considering the unpublished
draft internal procedure when recalculating the fine and emphasised
that there is no obligation on the ICO to issue a penalty notice in
precisely the same terms as the Notice of Intent. It notes the
purpose of requiring the Commission to issue the Notice of Intent
is to permit consultation. Intriguingly, BA was afforded the
opportunity to make meaningful representations at the Notice of
Intent stage and it was also afforded additional opportunities to
do so, for example when the ICO agreed to consult BA again on its
draft decision. 

The final penalty notice details the ICO’s
reasoning, including the 5 step process adopted by the ICO in
ultimately deciding the appropriate penalty:

Step 1 – “Initial Element” removing any
financial gain from the breach
The ICO determined that BA had not obtained any financial
benefit from its conduct associated with the personal data
breach.

Step 2 – Adding in an element to censure BA for the
breach based on scale and severity
The ICO started its calculation of the fine at £30
million.

The failures, for which BA were considered wholly responsible,
were found by the ICO to be significant and of serious concern.
They affected a substantial number of data subjects over a
significant period of time (103 days) and resulted in the access of
a high volume of sensitive financial data including “full
financial data”, such as combined card and CVV numbers, of
about 77,000 customers.

Though the breaches were not found to be intentional, BA was
considered by the ICO to have been negligent in maintaining
operating systems, which suffered from significant vulnerabilities
and shortcomings. 

The ICO found that there were numerous measures BA could have
used to mitigate or prevent the risk of the personal data breach
occurring and that none of these measures would have entailed
excessive cost or technical barriers to adopt (some of these
measures were available to BA at the time through the operating
system BA was using but not adopted).  In addition, the ICO
found that BA did not detect the attack themselves but were alerted
by a third party more than two months later. It was not clear to
the ICO whether BA would have identified the attack themselves and
this was considered to be a severe failing because of the number of
people affected and because any potential financial harm could have
been more significant if the breach had gone undetected.

Nonetheless BA’s prompt notification of the cyber-attack
once it became aware and its full cooperation were taken into
account at this stage.

Step 3 – Adding in an element to
reflect any aggravating factors

Indicative list provided at page 11 of the ICO’s Regulatory Action
Policy
.

No aggravating factors found to apply by the ICO.

Step 4Adding in an amount for
deterrent effect to others
The ICO did not consider it necessary to increase the
penalty further to dissuade others.

Step  5 – Reducing the amount (save that in the
initial element to reflect mitigating factors, e.g. financial
hardship)
Indicative list provided at pages 11-12 of the
ICO’s
Regulatory Action
Policy
.

The ICO took the decision to reduce the fine by £6 million
(i.e. to £24 million).

In reducing the fine by this amount, the ICO took into account
the following factors:

  1. BA promptly informing affected data
    subjects and law enforcement / regulatory agencies and its full
    cooperation with the ICO’s enquiries;

  2. The immediate measures undertaken by
    BA to mitigate and minimise damage suffered by data subjects (such
    as the offer to reimburse any financial losses from the theft of
    card details and the provision of free credit monitoring);

  3. Widespread briefing to journalists
    and reporting likely to have increased the awareness of other
    controllers of the risks posed by cyber-attacks and the need to
    take all appropriate measures to secure personal data; and

  4. The adverse effect to BA’s brand
    and reputation, which will have had some dissuasive effect on BA
    and other controllers.

COVID-19

Following the Commissions own published guidance on its Covid-19
approach (an updated version of which has since been
published.) and the impact of the pandemic, both on BA and more
generally, the fine was reduced by a further £4 million to a
final sum of £20 million.

Originally published 19 October, 2020

Visit us at
mayerbrown.com

Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
“Mayer Brown Practices”). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited
liability partnerships established in Illinois USA; Mayer Brown
International LLP, a limited liability partnership incorporated in
England and Wales (authorized and regulated by the Solicitors
Regulation Authority and registered in England and Wales number OC
303359); Mayer Brown, a SELAS established in France; Mayer Brown
JSM, a Hong Kong partnership and its associated entities in Asia;
and Tauil & Chequer Advogados, a Brazilian law partnership with
which Mayer Brown is associated. “Mayer Brown” and the
Mayer Brown logo are the trademarks of the Mayer Brown Practices in
their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights
reserved.

This
Mayer Brown
article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.

Source link

Leave a comment