On October 16, 2020, the UK Information Commissioner’s Office (“ICO”) announced its fine of £20,000,000 (approximately $25,850,000) for British Airways (“BA”), which is owned by International Consolidated Airlines Group, S.A, for violations of the EU General Data Protection Regulation (“GDPR”). This is a significant (approximately 90%) decrease from the proposed fine of £183,390,000 (approximately $230,000,000) announced by the ICO in July 2019, but is the largest fine imposed to date by the ICO.
The ICO found that BA failed to process the personal data of its customers in a manner that ensured appropriate security, as required under Article 5(1)(f) and Article 32 of the GDPR. The relevant data breach took place between June 22 and September 5, 2018, when an unidentified attacker gained access to BA’s IT systems and network. The attacker was able to redirect customer payment card data from the BA website to a fraudulent site controlled by the attacker, a process referred to as “skimming,” for a 15-day period. BA was informed of the issue by a third-party and notified the ICO on September 6, 2018. Overall, approximately 430,000 data subjects were affected.
As a result of the attack, customer personal data such as name, address and payment card details (including CVV) were harvested, as well as log-in details of BA employees and administrator accounts. Usernames and pin numbers of BA Executive Club accounts also were compromised. The ICO commented that BA was negligent in the circumstances, knowing that a company of its size and profile was likely to be targeted by attackers. It suggested various measures that BA could have taken to prevent the breach from occurring, which were not implemented, and commented that each of the several steps that the attacker took, leading to the eventual breach of personal data, “could have been prevented, or its impact mitigated, by BA implementing one or more of a range of appropriate measures that were open to it.” In addition, the ICO commented that although special category data was not involved, the financial data compromised was considered sensitive. The ICO also commented: “The failures are especially serious in circumstances where it is unclear whether or when BA itself would ever have detected the breach.”
In addition, the ICO pointed to the “anxiety and distress” that individuals suffered as a result of the disclosure of their personal information, and disagreed with BA’s contention that payment card breaches are an “unavoidable fact of life,” commenting: “These statements trivialize what was a serious failure on BA’s part.”
In calculating the fine, the ICO took into account BA’s representations in response to the original Notice of Intention to fine and additional technical information that BA submitted, together with the factors listed in Article 83(2) of the GDPR, which include the nature, gravity and duration of the infringement, the number of data subjects affected and the damage to them, and steps taken to mitigate the impact of the incident. Mitigating factors included the fact that BA did not gain any financial benefit from the breach, notified the ICO promptly on becoming aware of it, had no relevant previous infringements and offered to compensate individuals for financial loss suffered as a direct result of the theft of their card details. The ICO stated that BA had cooperated fully with the investigation, and noted the improvements that have been made to BA’s IT security since the breach. The Penalty Notice also sets out in some detail BA’s legal challenges to the ICO’s approach to calculating the fine, which include wide-ranging administrative law arguments and criticism of the ICO’s apparent reliance on a Draft Internal Procedure (which the ICO stated it had not relied on in calculating the final penalty). The ICO reduced the fine by 20% (to £24 million) to reflect the mitigating actions taken by BA, and reduced the fine by a further £4 million to reflect the economic consequences of the COVID-19 pandemic.
Finally, it also should be noted that the potential fine under the GDPR for infringement of the security principle differs under Article 5(1)(f) (the higher level of up to 4% of total worldwide turnover) and Article 32 (the lower level of up to 2%). The ICO addressed this apparent anomaly, acknowledging the overlap between Articles 5 and 32 but relying on Article 83(3), which provides that where several provisions of the GDPR are infringed, the total amount of the fine “shall not exceed the amount specified for the gravest infringement.”
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code