Since the new data protection laws (the GDPR) came into effect last May, businesses have been waiting nervously to see how the Information Commissioner's Office (ICO) would exercise its increased regulatory powers.
Under the old Data Protection Act, the maximum fine the ICO could impose on a business for a personal data breach was £500,000. However, under the new GDPR, the ICO can impose fines of up to the greater of €20m or 4% of the breaching business' annual global turnover.
Last summer, British Airways was the target of a "sophisticated, malicious criminal attack" on its website, that diverted around 500,000 customers to a fraudulent website where their personal data was harvested. BA reported the data breach to the ICO in September 2018 (as required under the GDPR), but the ICO's investigation has concluded that BA's poor security arrangements contributed to the severity of the personal data breach.
The ICO is now proposing to fine BA £183,390,000; this is not only one of the first fines to be made public since the GDPR came into force, but it is also nearly 367 times the amount of the previous highest ever ICO fine for a data breach. Still, it could have been worse, because if the ICO had fined BA the maximum 4% of its annual global turnover, it could have imposed a penalty in the region of £500m. The fact that the ICO felt that BA had co-operated with the ICO investigation and had taken steps to improve its security arrangements no doubt helped BA avoid the maximum fine.
Many businesses had wondered how the ICO would "flex its muscles" with its new powers under the GDPR. Some speculated that the ICO may start by getting a few modest fines under its belt initially - but it seems that the ICO has chosen to make an example of BA and show businesses just how expensive it can be to fail to take adequate steps to prevent a personal data breach. The size of this fine reinforces the importance of making sure that your business has adequate policies and security measures in place for the all-but-inevitable day when it finds itself the target of a cyber-attack.
If you have any queries about how to reduce your risk of becoming a victim of cyber-fraud, or if you would like to speak to one of our data protection/GDPR specialists, please get in touch with me at firstname.lastname@example.org.
"The law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from [the ICO] to check they have taken appropriate steps to protect fundamental privacy rights"