< Back to latest news & events

News

British Airways’ fine reduced to £20 million

October 2020

Information Commissioner’s Office substantially reduces the intended fine following BA submissions and full consideration of the issues.

Back in September 2018 we wrote about BA experiencing a large scale data breach following a sophisticated criminal attack which involved the bad actor compromising BA’s systems by misusing legitimate credentials which BA had given a third party service provider’s staff member. In the aftermath of the breach, the ICO announced their intention to fine BA £183 million, however, following three rounds of submissions from BA the ICO have now issued a notice that they are fining BA £20 million (initially reduced down to £30 million then to £20 million including a £3 million COVID-19 deduction) for the data breach that affected more than 400,000 BA customers; and allowed unlawful access to over 100,000 credit card details.

While reducing the fine by over £160 million will be seen as a success by BA, given the wider challenges faced in the aviation industry, the fine is still unwelcome. That said, from an outsider’s perspective £20 million would seem like a much larger sanction and deterrent, had the ICO not initially indicated a much larger figure.

BA’s issues stem from having IT systems in place that did not provide an adequate degree of security, particularly given the volume and nature of the personal data being processed. Further, information was being retained which BA did not need (or even intend to retain). BA did not even discover the security breach itself, indicating inadequate network monitoring, but rather was informed of an anomaly by an observant third party which sparked their response efforts. There is always a challenge in preparing for and preventing all possible attacks from malicious actors, however BA’s approach was considered inadequate, which led to this fine. BA does have a right to appeal so this process may not be over yet.

To avoid ending up in a similar position, it is essential that businesses have the technical and organisational systems in place to protect the personal data they process and that they deploy automated monitoring tools scanning for system anomalies which may indicate a personal data breach is happening. Such measures should be proportionate to the nature (e.g. volume, risk, sensitivity) of the personal data being processed. Consideration should also be given to only retaining personal data for as long as necessary with appropriate operationalisation of data retention policies.

BA does get credit for its response to the breach once  discovered. Under GDPR, given the seriousness of the breach and the risks to customers, BA was obliged to notify promptly the ICO, which it did, suggesting its internal processes around data breach reporting were up to date. As mentioned in our previous article, data breach reporting (introduced by GDPR) has brought a new angle to how organisations respond to data breaches. Breaches do not necessarily need to be reported unless they are of a serious nature but where they are reportable there are tight timescales for action. Given the timescales required, the time it may take to identify the nature of a breach and whether it is reportable, having clear policies, procedures and reporting lines avoids confusion, enables reportable breaches to be correctly identified, and mitigates the publicity and regulatory fallout of a muddled or non-compliant approach. Organisations with mature data protection programs hold regular personal data breach simulations to rehearse their response times and effectiveness.

Being prepared to handle a breach involves identifying people within your organisation who have responsibility for data protection, ensuring employees know the importance of reporting a breach, setting out key criteria for decision making and keeping a record not just of reportable breaches but also of non-reportable breaches which includes your justification for not reporting.

Given that two and a half years have passed since the introduction of GDPR now might be a good time to consider reviewing your organisation’s policies and procedures around data protection and whether much has changed in the way you handle personal data since they were put in place. Sophisticated organisations increasingly engage “white hat” hackers to test their data security to identify weak spots before the bad actors do. Given the ongoing nature of working towards GDPR compliance, if your data breach response policies and procedures haven’t been looked at since they were put together, the reminder of the financial and publicity implication of failures in this area might prompt an overdue review!

This article was prepared by HGF Senior IP Solicitors James Talbot and Emily Nousios. If you would like further advice on this or any other matter, please contact James or Emily. Alternatively, you can contact your usual HGF representative or visit our Contact page to get in touch with your nearest HGF office.

Latest updates

PRESS RELEASE - HGF Appoints new Chair of the Board: Formerly Head of Engineering, Lucy Johnson

HGF announced a new Chair to its Management Board, Lucy Johnson. Lucy was previously head of the firm’s Engineering Group.  Effective immediately Lucy succeeds Jason Lumber who held the position …

Read article

Blog Series: IP Ingredients, Part 7: Data in food and beverage parent applications - Why, What & How much?

Questions I often get asked by innovators looking to file a patent application include: “What kind of experimental data do I need to include?” and “How many examples do we …

Read article

HGF ranked in The Legal 500 Germany 2024

HGF is proud to be ranked in The Legal 500 Germany 2024 guide. The Legal 500 provides the most comprehensive worldwide coverage on recommended Law firms, Lawyers, Attorneys, Advocates, Solicitors, …

Read article

EPO Annual Fee Increases

The European Patent Office (EPO) has announced that revised Official Fees will apply to payments made on or after Monday 1st April 2024. The majority of fees will increase by …

Read article

Tanya Waller Recognised as Lexology Legal Influencer for IP

We are delighted to share that our Trade Mark Director Tanya Waller has been recognised as a Lexology Legal influencer for Q4/2023! Tanya provides high-quality legal content for our website …

Read article

WTR 1000 2024

We are delighted to announce that our European trade mark team has been recognised in the gold tier world Trade Mark Review 1000 2024. The firm is also proud to …

Read article

Blog Series - IP Ingredients, Part 6: Geographical Indications: “What’s in a [place] name?”

You are likely to be familiar with Scotch Whisky, Champagne, Welsh Lamb, Stilton blue cheese and Jersey royal potatoes but did you know that the names of some of your …

Read article