ICO issues British Airways with a ground-breaking fine
On 16 October 2020, The Information Commissioner’s Office (the “ICO”) imposed a monetary penalty notice fining British Airways Plc (“BA”) £20million for breaching its data security obligations under the General Data Protection Regulation (the “GDPR”) when they faced a cyber-attack in 2018. This is the ICO’s largest fine to date and the amount imposed was a significant reduction on the £183.39 million the ICO announced that it intended to fine BA back in July 2019.
Details of the cyber attack
The attacker is believed to have accessed the personal data of over 400,000 BA customers and staff members worldwide. Information obtained includes names, addresses, payment card numbers and CVV numbers; although it is thought only around 100,000 customers had their payment information accessed. The attack went undetected for over 2 months spanning from 22 June to 5 September 2018.
Usernames and passwords of BA employee accounts, as well as usernames and PINs of up to 600 BA Executive Club accounts, were also potentially accessed.
Failure to prevent the attack
The ICO listed a number of factors in its penalty notice report that BA could have used to mitigate the risk of the attacker being able to access personal data through the BA network. These include:
- limiting access to applications, data and tools to only those which are required to fulfil a user’s role;
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and
- protecting employee and third party accounts with multi-factor authentication.
It was noted that these additional measures would not have entailed excessive costs or technical barriers to BA, with some of these measures already available through the Microsoft Operating System that they used.
Another consequential factor taken into account by the ICO was that on 22 June 2018 BA did not detect the attack themselves but were informed by a third party more than two months after, on 5 September 2018. The ICO considered this to be a severe failing because it is not clear whether or when BA would have identified the attack themselves. Had it not been for this third party the financial harm could have been even more widespread.
The fine payable by BA is the largest imposed to date by the ICO for a breach of the GDPR. Although £20million appears to be a narrow escape (compared to the £183million originally suggested by the ICO), Article 83 of the GDPR does require the ICO to ensure any fine imposed is "effective, proportionate and dissuasive". The ICO considered BA’s prompt action that was taken to mitigate the risk of harm suffered (once aware of the attack), as well as the economic impact of COVID-19 on the business – and with all considerations taken into account, imposed a greatly reduced (albeit still eye-watering) fine.
Marcus Stuttard will provide his unique insight and a "state of the nation" market update.
UK Construction Law Update: What Happened in 2021? What can we expect in 2022?
The panel will cover a number of key construction law topics to ensure you stay in the loop
A Little Help from My Friends? New Measures on Assistance in the Collection of UK Taxes in Guernsey and the Isle of Man
An important development for individual taxpayers, trust companies and other professional services providers.
Property Patter: What can the property world expect from Parliament and the courts in 2022
What’s ahead in the world of property law during 2022
Environmental Land Management: Whose carbon is it anyway?
Everything you need to know about Environmental Land Management Schemes.
Top 10 Tips for dealing with Easements
Everything you need to know about dealing with Easements.
The changing leasehold landscape: Government consultation on reforming the leasehold and commonhold systems in England and Wales
Lauren Fraser and Laura Bushaway explore the changes occurring in the leasehold landscape process.
Social Tokens: What are the regulatory challenges in the UK?
Social tokens are one of the latest innovations in the crypto space and have grown significantly in recent years.
Philanthropy Insights – A discussion with John Pepin and Rennie Hoare of Philanthropy Impact
Join us as we discuss the current landscape of philanthropy in the UK and current trends, priorities and concerns amongst philanthropists.
The green lease: back for good?
Emma Humphreys and Phil Webb look at the growing interest in green lease clauses.
Expert Shopping – Seeking to rely on a new expert
A practice known as expert shopping may see the court order the disclosure of the previous experts.
National Security and Investment Act comes into force
The Act has established a new regime for the review of mergers, acquisitions and transactions that could threaten national security.
On the employment horizon – 2022
We set out some of the key changes we anticipate over 2022 in employment law, and how to best prepare for them.
Playing for time with lease expiry
Emma Humphreys explores time with lease expiry from the perspective of tenant and landlord.
Top 10 Tips: Terminating agricultural tenancies affecting development land
Everything you need to know about Terminating agricultural tenancies affecting development land.
The government’s Commercial Rent (Coronavirus) Bill and revised Code of Practice
Emma and Laura explore the government's new Code of Practice for commercial property relationships.
Q&A: Timely guidance on service charges
Emma Preece and Brooke Lyne find that a recent Court of Appeal decision offers timely guidance on residential service charge matters.
What artists need to know about law
What should artists consider when entering contracts, whether with galleries, museums or other parties?
Gareth Mills, Georgina Munnik and Sam Saunders write for International Comparative Legal Guide - Telecoms, Media & Internet
The chapter covers common issues in Bahrain's telecoms, media & internet laws and regulations.
Sarah Rowley appears in the Apollo and Charles Russell Speechlys’ art law series on the future of museum governance
Are the responsibilities and duties of museum boards in the UK the same as they were, say, 20 years ago?