How the data breach is judged by regulators, and possibly by the courts, could tell us a lot about how GDPR might be applied to other UK companies.
On Friday 7 September British Airways announced that nearly 400,000 customers’ personal and financial data was compromised. This is one of the UK’s largest data breaches – and one of the first documented large-scale breaches to occur in the UK since the General Data Protection Regulation (GDPR) became effective on 25 May.
The incident could be a precedent for how other breaches will be perceived and dealt with under GDPR.
BA customers who used BA.com or the BA app to book or change flights between 22:58 on 21 August and 21:45 5 September could have had their personal and financial information compromised. Passport and travel information was not impacted.
This type of attack is quite common and frequently seen in the hospitality and retail industries on point-of-sale devices. Although most companies do not handle third-party data on the scale of a large airline, they are still vulnerable to similar style breaches and the resultant losses.
BA could potentially face fines from the Information Commissioner's Office (ICO), which is looking into the breach. This is in addition to the possible considerable cost of forensics, legal bills, PR costs and any reputational damage. The National Crime Agency and National Cyber Security Centre also confirmed they were assessing the incident.
The breach is significant as an indicator (and possible precedent) for how breaches will be dealt with and perceived under GDPR.
Under the Regulation, fines imposed following a data breach can be up to 4% of the company’s annual global revenue or £17 million, whichever is greater. In BA’s case, a maximum 4% fine could amount to around £500m. However, in light of how the Regulation is applied and the measures adopted by BA, it is highly unlikely any fine would be so large.
If companies are breached they might not be liable only for compensating customers for 'financial losses'.
The breach could also set a precedent for how such breaches (under GDPR) are judged in subsequent court cases.
While apologising for the breach, BA’s boss Alex Cruz also promised that the company would compensate any customer for “any financial hardship that they may have suffered”.
Companies should note that if they are breached, and third-party data is compromised, they might not be liable only for compensating customers for “financial losses”.
Under Article 82 of GDPR, any person who has suffered material or non-material damage as a result of an infringement of the Regulation has the right to receive compensation for the damage suffered. This could include a claim for (but not limited to): distress; anxiety; reputational damage.
SPG Law – the UK arm of US law giant Sanders Phillips Grossman – has reportedly launched a £500m group action against BA. The law firm says it has launched the group action following BA’s failure to offer financial compensation to individuals affected by the data breach for the inconvenience, distress and misuse of their private information. SPG Law estimates that each affected person may be able to claim up to £1,250 in compensation against BA.
Companies may be wondering: what is the extent of any compensation claim that we may be required to pay?
This is currently very difficult to predict, as the courts have not yet released any judgment for such compensation claims brought under GDPR. However, it is possible that this liability could be significant for companies if they face claims from multiple claimants for a breach of data.
The regular application of security patches could help companies to protect themselves against similar attacks.
Details of BA’s data breach are still to be fully disclosed, but we can surmise that the attacker(s) installed some card-scraping software on BA systems that record the payment information, including name and possibly address. The software would then have sent this information back to the attacker(s).
With the lack of publicly available information on the breach, it is too early to provide concrete advice to companies on how to avoid a similar breach. However, the regular application of security patches could help companies to protect themselves against many similar occurrences.
It is advisable that companies identify all the software used on their systems, monitor the release of new patches from vendors (specifically security patches, rather than feature patches) and apply them as soon as feasible. They should then deploy vulnerability scanning to ensure the patches have actually been installed and then, finally, regularly monitor their systems and network for any unusual activity.
It is also worth considering a specialist cyber insurance policy. Excepting any fines imposed, a specialist cyber insurance policy would cover all of the losses resulting from such a breach, including the costs of investigating the breach, notifying affected parties, as well as legal defence costs.
For more information, please contact Peter Erceg on:
+44 (0)20 7933 2608