5 Things Barristers Can Learn From The £183 Million British Airways GDPR Fine
I’m going to take a punt that no UK barrister needs to worry about a fine of £183.39 million. I’m fairly certain no-one has the turnover British Airways has. However, in the wake of the Information Commissioner’s Office (ICO) announcing that they intend to fine British Airways £183.39 million for a data breach, what can a barrister glean from this case that is relevant?
Facts of the Case
In September 2018, users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, including log in, payment card, and travel booking details as well name and address information.
The incident was first disclosed on 6th September 2018, approx. 15 weeks after GDPR came into effect. The stolen data did not include travel or passport details.
The penalty imposed on British Airways is the first one to be made public by the ICO since the introduction of GDPR, which makes it mandatory for businesses to report data security breaches to the ICO within 72 hours.
1. Being a victim of crime is no defence
British Airways were actively targeted by sophisticated cyber criminals and were essentially victims of crime. Your chambers’ website or your hosted diary management system could be targeted in the same way, or you could simply have your laptop stolen from your home (as another barrister who incurred the wrath of the ICO did). Regardless of your ‘victim’ status, the ICO will fine you if they believe you didn’t take adequate security measures to protect personal information.
2. Barristers are more vulnerable to fines than BA
The information breached by British Airways was limited to log in details, payment card details and travel booking details, as well name and address information. None of this falls into ‘special category’ data which is what the ICO usually come down hardest on and which we look at as ‘high risk’ information. Special categories include information pertaining to the health, sex life, political, religious or ethnic backgrounds of individuals.
Barristers who practice in the areas of family, crime, employment or civil litigation will of course handle special category data on a daily basis, as does their chambers. To this end, barristers routinely handle much higher risk information. Even one brief going missing with that type of information will cause the ICO to act.
3. No-one needs to get hurt
British Airways stated at the time of the breach there was no evidence that any of the information stolen had led to fraudulent activity. What they were really saying is ‘no-one was hurt’ in the hope this would mean no penalty for them. That’s not how the ICO works - as far as they are concerned, if you lose control of the information, that’s enough for them to fine you. The ICO does not have to prove that the owners of the information suffered any kind of loss, something that goes against the grain for barristers used to calculating damages in cases based on an actual loss suffered by the victim.
4. Lawyers are Profiting from the British Airways fine
Speaking of individuals suffering a loss, a number of law firms have been aggressively advertising they can get compensation for the ‘victims’ of the British Airways data breach. So the fine may be only one of the financial blows that British Airway are facing this year. I guess this means a new area of practice opening up, for those that are interested. For everyone else, this just means that lawyers are signalling to Joe Public they can profit from data breaches – which now means it’s not just the ICO businesses need to worry about, it’s the man on the street pondering the opportunity for a quick compensation claim. Will it be the new whiplash claim?
5. Fixing things afterwards doesn’t get you out of a fine.
It seems that British Airways became aware of the breach within less than 2 weeks, and that they have taken significant steps to fix the weakness which allowed the hacker to exploit their systems. But this hasn’t prevented a massive fine, the world-wide publicity and a significant dip in their share valuation. There’s little point mending the gate after the horse has bolted - you need to constantly watch out for risks in your practice, and make sure you fix them before something goes wrong.
I feel sorry for British Airways, I really do. I think it’s an outrageously high fine and I think that they are being made an example of. But it shows the ICO mean business. The Commissioner herself commented:
“… the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
One thing is clear - the ICO has moved the game to another level. After 14 months of criticism for ‘doing nothing’ they’ve come out with the gloves on. Who’s going to be next?
Orlagh Kelly is a Barrister and Managing Director at Briefed, www.briefed.pro, specialising in GDPR compliance for the Bar.
Exclusive provider of GDPR training for barristers and chambers in partnership with the Bar Council of England and Wales, her next GDPR training event is this month, check for more information on our Events Page.