‘When you are entrusted with personal data, you must look after it,’ regulator says.
British Airways faces a £183-million ($300-million Cdn) fine over a breach that compromised information on half a million customers — the biggest penalty to date under new, tougher British regulations, and one likely to be seen as a test case for companies that fail to secure big data caches.
Britain’s information commissioner proposed the fine on Monday, months after BA revealed it had been the victim of a hack. The scam saw customers diverted to a fake website where credit card details were harvested by the attackers.
“People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience,” Information Commissioner Elizabeth Denham said. “That’s why the law is clear — when you are entrusted with personal data, you must look after it.”
Fine is 1.5% of revenue
The regulator said the proposed fine — equivalent to 1.5 per cent of the airline’s annual revenue — is the biggest it has ever imposed. It comes about a year after European Union member states began implementing the most sweeping change in data protection rules in a generation.
The General Data Protection Regulation (GDPR) is designed to make it easier for EU residents to give and withdraw permission for companies to use personal information — but also forces companies that hold data to be accountable for looking after it. Authorities can fine companies up to four per cent of annual revenue, or €20 million ($29 million), whichever is higher, for breaching the rules.
The Information Commissioner’s Office says its investigation of BA found “poor security arrangements” compromised login, payment card and travel booking details, as well as name and address information.
The parent company of BA, International Airlines Group, said it would fight the proposed fine. It has 28 days to make its case in the first step of the process, which could take some time to complete.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said IAG CEO Willie Walsh.
New rules since Cambridge Analytica scandal
Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, said the fine sets a precedent for what to expect from the information commissioner in the future.
“It’s not so much that you’re required to never be attacked or have a data breach. It’s … based upon how quickly you respond, how you advise … consumers — all of that is factored in,” he told CBC News.
This is the first fine since the law was changed in May 2018 that “should get everyone’s attention,” he said. “The previous limits were not enough to get any attention from a Google, a Facebook or even a British Airways.”
Previously, they could pay a penalty and move on, because penalties for data breaches that hurt customers were too low, he added.
The proposed fine is the largest for the ICO since telling Facebook to pay £500,000 ($819,450 Cdn) for allowing the political consultancy Cambridge Analytica to forage through the personal data of millions of unknowing Facebook users.
But the Facebook matter took place before the new GDPR rules came into effect and was the maximum penalty at the time of the incidents.
The proposed BA fine could particularly worry companies that use lots of data, even though their business concerns something else, such as flying planes. These companies have to really open themselves to securing their data despite the cost or face scary fines, said Emily Taylor, CEO of Oxford Information Labs, a cybersecurity consultancy.
The information commissioner’s office is “going for a very big signal to the entire marketplace,” Taylor said. “This is the message: Get your information security house in order.”
Wisniewski says larger companies will take note, but he’s worried about small ones.
“The real challenge that we’ve seen is that smaller businesses either don’t understand the rules themselves or don’t feel that they really apply to them,” he said.