The ICO released news of its intention to fine British Airways £183.39 million for infringements of the GDPR’s security requirements. Note that we do not know the full facts of the case, and the exceptionally large intended fine could be indicative of a serious security failure, the details of which we are unaware of, but will no doubt come to light if/when BA appeals the decision.
However, there are some issues that any organisation handling personal information should consider in the light of the ICO’s action:
The ICO has finally shown its teeth
After decades of being the poor relation of regulators with greater resources and punitive powers, the ICO is taking its place at the regulatory table, and is sending a signal to organisations’ boards that the appropriate handling of personal information has to be right up there as a key corporate priority. You can expect to see more large fines over personal information security breaches.
This was a cross-border case
The proposed £183.39 million fine is the first one for a breach that reportedly occurred after the GDPR was introduced, it was also a cross-border case – and as far as we are aware the first one the ICO has been the lead authority for. Maybe the size of the proposed fine is intended to send a message to the ICO’s EU counterparts that it is willing to impose fines exceeding even those imposed previously by some of the south European agencies - where fines in the millions of Euros have been fairly common.
Information security is an arms race
We do not know the details of the relevant BA security systems, and the GDPR only requires that security be ‘appropriate’. However, any security system, no matter how good, can always be vulnerable to human error, insider wrong-doing or attack from a skilled and well-resourced external body.
Has the ICO been moving the goalposts so that any vulnerability to any threat means that security is not ‘appropriate’? What security standard is ‘appropriate’? Could compliance with an ISO or other relevant standard prove ‘appropriateness’?
BA will probably appeal
We don’t know the details of the BA case, but it seems that if the fine is imposed, BA will appeal. This is welcome as there is relatively little case-law in this area and it will be interesting to see some critical exploration of how the regulator assesses the facts of a case, determines the level of fine appropriate for a particular breach and deals with cases where an organisation with reasonable security is deliberately attacked by a third party. More transparency should help organisations to design more effective approaches to reducing regulatory risk.
Victims of cyber crime face penalties
There have been several cases where organisations that have been the victims of cyber crime have then been subject to regulatory action – while the perpetrator goes unpunished. Isn’t this a bit like the victim of a burglary being charged for having a 3-lever mortice lock on the front door rather than a 5-lever one? How should regulators deal with cases where the organisation technically responsible for a breach has itself been the victim of a cyber attack?
Security arrangements should be under constant review
The best defence for organisations is to keep security arrangements under constant review, to seek independent third-party verification periodically and to document their security arrangements comprehensively. Whilst this will not provide immunity from regulatory action, it is the best an organisation can do in terms of demonstrating its attempt to comply with the relevant legal requirements.
The Grant Thornton Data Governance and Cyber Consultancy teams have helped many organisations assess and improve their security posture, pre- and post-breach. Contact us for more information.