Advisen

UK regulator levies record $26 million fine over British Airways' 2018 data breach

Fine is significantly lower than a proposed $238M fine, but still ICO’s largest to date

By Erin Ayers, Advisen

The UK Information Commissioner’s Office (ICO) levied a significantly reduced fine on British Airways, dropping the previously-announced penalty of $238 million over the airline’s 2018 data breach down to $26 million.

The $26 million still represents the largest penalty issued by the ICO to date, according to Information Commissioner Elizabeth Denham.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Denham in a statement. “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”

The breach compromised a variety of personal details of over 400,000 people, including names, addresses, payment card information, some BA loyalty program information and some employee and administrative accounts.

Denham added, “When organizations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

The fact that it took over two months for the attack to be revealed came into question in ICO’s investigation. The regulator noted that a third party alerted BA to the attack and it isn’t clear whether the airline would have discovered it on its own, making the event “a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”

ICO determined that BA should have “identified weaknesses in its security and resolved them with security measures that were available at the time.” In the regulator’s view, BA could have been limiting privileged administrative access and “undertaking rigorous testing” in simulation potential cyberattacks on its systems. The use of multi-factor authentication on employee and customer accounts would also have helped, as well as other potential mitigation steps.

“None of these measures would have entailed excessive cost or technical barriers,” said ICO, adding that since the cyber event, BA has improved its systems considerably.

In reducing the fine, ICO considered the impact of the COVID-19 on BA, as well as taking into account the airline’s explanation of the event and its processes.

ICO levied the fine under the UK Data Protection Act for violations of the European Union’s General Data Protection Regulation (GDPR). ICO functioned as lead GDPR authority for all member states on the investigation, since the cyber event took place before the UK left the EU.

ICO has previously issued fines of 500,000 pounds (about $645,000) to both Facebook over the Cambridge Analytica scandal and Cathay Pacific over a data breach occurring between 2014 and 2018. A fine of $124 million against Marriott International is under appeal.

As regulatory actions under GDPR heat up and fines are issued, more attention is being paid to whether investigations and damages will be covered under cyber insurance, particularly after a $41 million fine against clothing retailer H&M over employee surveillance practices. U.S.-based businesses face risks under GDPR, as well as the California Consumer Privacy Act (CCPA) and other data privacy regulations.

Provisions designed to provide coverage for liability to regulators can be found in “countless standalone cyber insurance policies,” according to Scott Godes, partner with Barnes and Thornburg. How the coverage question will play out depends on the jurisdiction and the individual policy and regulator, he added.

“It comes down to the creativity and how aggressive the insurance carrier will be in the question of GDPR,” said Godes. “It seems unfair to me to present a policy that provides cover for regulatory liability and then say, ‘we didn’t tell you about the giant exception.’”

Not every jurisdiction allows for regulatory fines to be insured, and criminal and punitive penalties cannot be insured.

During a recent NetDiligence event, data privacy experts commented that despite thousands of breach notifications, a much smaller number of fines have actually been issued under GDPR. Regulators appear to be open to negotiation and cooperation on investigations, the panel explained.

“You’ve got to do something pretty bad -- you’ve either got to have a breach that affects millions of people or you’ve got to be in the public domain and the regulator wants to make an example of you, or you’ve got to have a breach … and not really cooperate and behave poorly to get a fine or penalty,” said Hans Allnutt, partner with DAC Beachcroft.

The insurability of some fines may come down to intentional or unintentional violations, according to Gamelah Palagonia, senior broker at Willis Towers Watson.

“We’ll just have to see how these play out,” she said.

Editor Erin Ayers can be reached at eayers@advisen.com