British Airways slapped with biggest ever fine for data breach

What does the BA fine tell us about the ICO’s attitude towards calculating fines more generally?

The key takeaway

Mitigation of a breach will only get organisations so far. While BA were successful in reducing their original proposed fine of £183m, £20m is still the largest amount to be handed down by the ICO. This highlights the importance of having effective data governance protocols and systems in place.

The background

The ICO has fined British Airways £20m for a significant data incident that occurred over several months in 2018, resulting in the loss of personal data of over 400,000 staff and customers including banking/payment information, names and addresses. User traffic from the BA website was diverted to a fraudulent website which then harvested customers details including CVV and card numbers, as well as employee usernames and passwords. The fraudulent activity took place between 21 August to 5 September 2018 without interrupting the usual BA booking and payment procedure. The ICO found that BA were processing huge volumes of personal data with inadequate security measures in place to protect consumers and employees alike against the unauthorised or unlawful processing, accidental loss, destruction or damage of their personal data. 

The GDPR sets out two levels of fine. For less severe infringements, organisations can be fined up to €10m, or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.

The more severe infringements could result in a fine of up to €20m, or 4% of its total worldwide turnover of the preceding financial year, whichever is higher. 
In June 2019, after their investigation was finalised, the ICO issued BA with a notice of intent to fine BA £183m (equivalent to 1.5% of BA’s global turnover). However, upon review the ICO elected to reduce it to £20m (a 90% decrease but still the largest fine that the ICO has dealt out to date).

The development

When calculating the reduced fine, the ICO took into account BA’s representations in response to the original fine notice, the supplementary information provided by BA, together with the factors listed in Article 83(2) of the GDPR, which include the nature, gravity and duration of the infringement, the number of data subjects affected and the damage to them, and the steps taken to mitigate the impact of the incident. The ICO noted BA’s mitigating factors including the immediate steps BA had taken to promptly inform the individuals affected, minimise any damage suffered and implement remedial measures. BA had notified the ICO once they became aware of the breach as well as actively cooperating with the ICO and other enforcement agencies. Interestingly, the ICO also considered that the media attention this breach received was likely to increase awareness of the risks posed by cyber incidents and mobilise other organisations to take preventative action, while also negatively impacting BA’s brand and reputation. Finally, with the airline and travel industry being one of the most impacted sectors and demand decreasing by around 98%, the ICO took into account the impact of the pandemic on BA in its final assessment of the fine (although the overall reduction due to COVID-19 was only £4m out of the £163m reduction).

The Penalty Notice also sets out in some detail BA’s legal challenges to the ICO’s approach to calculating the fine, which include wide-ranging administrative law arguments and criticism of the ICO’s apparent reliance on a Draft Internal Procedure (which the ICO stated it had not relied on in calculating the final penalty, in particular the turnover-based “bands” defined in the document). BA attempted to argue that relying on turnover in order to calculate fines was arbitrary because “it bears no meaningful relationship to the wrong at issue”. However, the ICO remained steadfast that while turnover is not the sole factor, it remained a relevant factor in determining the most appropriate level of penalty and is unlikely to change this position.