Breaches. GDPR. BA: Amid the acronyms lies the fine print – or the final print on the fines?
In the wake of the news earlier this month that British Airways had found, and reported, a data breach within the 72 hours mandated by the General Data Protection Regulation, the question remains: How much is it going to cost, if anything?
The breach itself was one where a cyberattack lasted from Aug. 21 to Sept. 5. The airline informed customers on Sept. 6 that as many as 380,000 individuals had been affected, where data tied to credit cards used for bookings had been pilfered.
Yes, the company gave notice of the breach in a single day, it seems. But beyond that, one wonders what may lie ahead for the company. Consider the fact that the stolen data, as reported in Forbes and other publications, was garnered through a script that helped the bad guys “skim” payment pages, and the methodologies have brought some observers to conclude that the hackers belong to Magecart, the group behind the Ticketmaster breach.
Timely reporting aside, BA could be on the hook for a fine as high as several hundred million pounds, or equal to as much as 4 percent of global turnover (revenues). That 4 percent benchmark would, of course, be a headline-making fine, a test case of sorts, where GDPR has been in effect since May 25 of this year and has yet to show any real traction in making an example of firms that do not adhere to rules governing data privacy and security.
Other Financial Impacts Loom
There are other financial impacts in the offing, and they could mushroom. There already is a class-action suit against the company in the works, one that was filed hours after news of the breach broke. The law firm spearheading the class action, SPG Law, has said that BA is liable for “non-material damage” under the Data Protection Act of 2018 (i.e., the U.K. implementation of GDPR), and has estimated that compensation should be around 1,250 pounds per individual.
Beyond that, BA would also be on the hook for damages that customers may indeed have encountered, or will encounter, from the breach.
Thus a bit of fine print – just what is non-material? SPG has said that compensation should come in the wake of “inconvenience” and “distress” and “misuse of private information” – and might these be rather nebulously defined? The door may be opened to all sorts of charges lobbed at the company, contending that damage has been done.
According to Bank Info Security, quoting U.K.-based attorney Jonathan Armstrong, class actions are likely to be more prevalent going forward, as the attorney noted “I do think that there is more chance of these actions succeeding under GDPR than under U.S. law. I think we have established here that you do not need to show financial loss, as you might in some of the U.S. litigation.”
Even as class actions loom, in a speech on Sept. 12 by James Dipple-Johnstone to the CBI Cyber Security: Business Insight Conference, the Information Commissioner’s (ICO's) office has been getting about 500 calls weekly to the breach reporting line since May 25, and amid that deluge, many organizations ultimately decided that the breach does not meet reporting thresholds. The thresholds have been defined as those that may result in risk to people's “rights and freedoms.”
The size and severity of the BA breach – test case thought it may be – is small potatoes compared to the events that led up to the largest fine that had been levied by the ICO: a 500,000-pound fine that came after the 2017 Equifax breach and was imposed this past week. That pre-GDPR occurrence was the maximum penalty under prior legislation, which dates back to 1998.
The credit rating firm's breach came as the company had failed to patch a server that had been vulnerable for months, said reports. In the ICO investigations that followed, the regulator said that when it came to data of U.K. citizens, the U.K.-based Equifax operations did not have adequate measures in place to ensure that data was protected.
For Equifax, it seems a case of getting in under the wire. The stage may be set, then, for penalties for BA based on the loss of personal data, stolen with material consequences or not.
Deal With the Devil?
But there comes a new wrinkle, a troubling one. As noted at the end of last week, Europol, the EU police agency, said there may be a rise in breaches and extortion attempts tied to those breaches – and, alarmingly, companies may opt to make deals with the bad guys rather than be on the hook for the aforementioned 4 percent of global turnover fines (or 20 million euros, whichever is higher). After all, the extortion may be relatively less of a penalty to pay.
Talk about unintended consequences.
Facebook Faces Regulators’ Ire
Separately, and centered on data privacy rather than fines, the European Union is bearing down on social media giant Facebook, with scrutiny on how the company handles data across the pond – or face sanctions, as noted by The Wall Street Journal.
The company got some admonishment this past week from Vera Jourova, who serves as the European commissioner for justice, consumers and gender equality. She said Facebook has to change what she charged are “misleading” service terms by the end of 2018.
“I am becoming rather impatient. We have been in dialogue with Facebook almost two years,” she said, according to The WSJ. “I want to see not progress — that is not enough for me. I want to see results.” At issue is how the company monetizes consumers’ data. At present, Facebook uses hyperlinks to bring users to the company’s “data policy” that describes ad targeting efforts, which regulators contend is not enough.