The BA Fine – The boardroom’s responsibilities: what are your business risks?

How will the BA fine affect your business? After over a year of delay, the Information Commissioner’s Office (ICO) finally issued their much-anticipated Penalty Notice against British Airways on 16th October 2020.

There have been headlines and debate around the size of the penalty. But the real focus should be on what the Notice tells us about the ICO’s approach to assessing whether an organisation is following the GDPR with regards to information security.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.” ICO press release.

We have distilled the 114-page Notice into three insights containing the key lessons to learn:

  1. The data protection landscape is changing – act now 
  2. How British Airways security flaws let data theft unfold
  3. The boardroom’s responsibilities – what are your business risks?

Join our webinar on THU, NOV 19, 202010:00 AM – 10:45 AM GMT to find out how the BA fine will affect your business.

 

Can your organisation demonstrate how personal data is managed?

 

When a breach happens, the ICO will want to see the evidence:

  1. That you have invested an appropriate amount of time and resource in information security.
  2. What that investment was on, i.e. what security measures you had in place, both the technical measures and your policies and procedures.
  3. Whether the measures were working – i.e. whether the reality of what was happening at the time of the breach matched what you said you would be doing to protect the data.
  4. What you considered when deciding to use the particular security measures – i.e. the decision-making process behind why you considered them appropriate for your organisation.

Organisations have been accountable for data protection since 1984. Yet the introduction of the GDPR was the first time there was an outright “accountability” principle. It made clear every organisation

“shall be responsible for, and be able to demonstrate compliance with [the data protection principles]” Article 5(2)

Last year the ICO flagged the importance of accountability:

“…the crucial, crucial change the law brought was around accountability.

Accountability encapsulates everything the GDPR is about.

It enshrines in law an onus…to understand the risks that they create for others with their data processing, and to mitigate those risks.

I don’t see that change in practice yet. I don’t see it in the breaches reported to the ICO….in the cases we investigate…”

Data Protection Practitioners’ Conference, April 2019 [1]

Accountability was at the heart of the BA case. From the information available, it would appear that BA found it difficult to provide evidence of their decision making, at several points during the investigation.

When asked to provide up-to-date risk-assessments, they couldn’t locate them.

When trying to defend why certain measures were not in place, they were not able to simply point to the records outlining how they reached their decisions. This meant they couldn’t demonstrate they had considered alternatives or why they had discounted particular measures.

And when trying to explain themselves after the event, the ICO found their arguments unconvincing.

It could have been different. Imagine if BA had been able to say “Here are the logs and monitoring data that show our security was working as planned. And here’s our decision-making process for each aspect of our information security. Each decision is based on the nature, scope, context and purposes of processing and the risk to the rights of people, the cost, and the current industry standards…and we, therefore, believe they are appropriate.”

 

Does risk assessment underpin how you make IT decisions?

 

The ICO noted that BA:

“implemented a number of remedial technical measures so as to reduce the risk of a similar Attack in future, and has indicated that expenditure on IT security will not be reduced as a result of the impact of Covid-19.” (7.46, p73)

It is important to recognise that BA is now, after the event and with the ICO watching, having to use unplanned time and resource to address security issues as well as make a public commitment to future spend in this area.

Organisations should not get into this position. The ICO is frequently at pains to highlight that the law requires appropriate measures to be in place depending on the circumstances of each organisation:

“The Commissioner does not find that simply because an attack took place BA was in breach of its obligations under the GDPR. Instead, the Attack which did occur exposed the fact that BA had failed to secure its systems in an appropriate manner.” (6.111, p59)

The ICO is interested in “whether a particular data controller has taken appropriate steps by reference to the data it is processing.” (6.106, p58)

It is not the ICO’s role to “investigate and establish the extent of any damage that may have been caused to any particular data subject.” (7.45, p73)

Here, both the challenges and the advantages of data protection’s principles-based approach can be seen.

It is helpful that the law recognises one size fits none; that organisations need the flexibility to select security measures that fit and work for them given their size, budget, the sensitivity and volume of data they handle and their appetite for risk.

Yet this flexibility comes with responsibility. You need to have a documented, consistent, robust method for assessing what is appropriate and deciding which measures to adopt.

This is where your data protection and IT experts need to work together in harmony in order to assess risk and present options to you. They need to consider the nature, scope, context and purposes of processing and the risk to the rights of data subjects. They need to outline what the current industry standard solutions are, given the current threats and risks, and the costs of implementing the different options.

If this happens, you should be able to plan your IT spending and approach, based on an assessment of risk. IT should implement the agreed changes to the agreed plan, alongside ensuring the organisation is using the existing measures on a daily basis to manage data.

It is also worth considering, on top of the fine and the remedial IT measures, the other costs BA would also have incurred as a result of the breach:

  • External forensic consultants and legal advisers (BA tried to argue that it was appropriate to reduce the penalty by reference to these costs. The ICO did not) (7.51d, p75)
  • Making free credit monitoring available, which over 40,000 data subjects took up (7.12d, p64)
  • BA offered to reimburse all customers who had suffered financial losses as a direct result of the theft of their card details (7.44, pp72-73).

Such costs are often overlooked or underplayed but should form part of any assessment of the cost/benefit analysis of any security options.

 

 

Do IT and Data Protection meet regularly, and do they both present regularly to Senior Management?

 

The BA case demonstrates a long-held area of risk for many organisations: whether IT and data protection experts work well together.

This is critical. IT should not be expected to make decisions on the value and significance of personal data. That is a decision for the organisation.

IT should be expected to provide their expertise about the threats and risks the organisation faces, the technical options available to mitigate those risks, and the costs of those options. It would also be IT’s responsibility to deploy the solutions and maintain the operational functionality of the systems.

Data Protection should not be expected to know the specific technical details of the IT threats the organisation faces, or how to address them, however, their input should always be sought when assessing the risks to data subjects and the organisation, which may arise from the processing of personal data

Both teams should be expected to work with the rest of the organisation to assess and define what value and significance it wishes to allocate to the data being processed. They should be able to work with the organisation to assess the operational, commercial, regulatory and ethical risks the organisation faces when handling data.

If they work well together, senior management should be presented with options about which security measure is considered appropriate and why in order to enable them to make risk-based decisions.

 

 

Did your GDPR project cover information security and did it ever finish?

 

The ICO noted that:

“…the advent of the GDPR should have prompted a careful review of BA’s systems and security arrangements” (7.23, p67)

BA highlighted its “extensive commitment to information security” and the ICO accepted BA had put in place a programme to prepare its systems for the introduction of the GDPR.

But the ICO concluded that BA could only demonstrate a commitment to certain aspects of information security because the programme had failed to identify and address the deficiencies in BA’s security that were highlighted by the attack.

The ICO concluded that BA was negligent in failing to ensure that it had taken all appropriate measures to secure personal data. (7.21 and 7.23, pp66-67).

“In view of these factors, the Commissioner would expect BA to  have taken appropriate steps or a combination of appropriate steps to secure the personal  data  of its  customers; and considers that BA was negligent…in failing to do so.” (7.20, p66).

 

 

Avoid sounding like you do not value peoples’ personal data

 

It is understandable that BA’s lawyers would try everything to defend their client, avoid a fine or otherwise reduce the level of the fine.

However, this can result in the organisation’s views on its customers and their personal data becoming public knowledge. This risks giving the public the impression that the organisation is downplaying, or insufficiently concerned about the impact of the breach on their customers.

In this case, the ICO states that it thought it likely that many of the 429,612 individuals affected by the breach will, depending on their circumstances,

“have suffered anxiety and distress as a result of the disclosure of their personal information (including payment card information) to an unknown individual or individuals.” (7.12, pp62-63)

BA countered this position, resulting in them putting on public record, via the Notice, their belief that

  • It is “inherently unlikely’ that consumers will be distressed by learning their payment card data have been compromised.
  • Payment card breaches such as this one are “an entirely commonplace phenomenon” and therefore an “unavoidable fact of life”
  • The breach was not that serious because hundreds of thousands of customers were affected, rather than millions as in other breaches
  • The action taken to mitigate the impact of the attack would have immediately addressed all concerns on the part of its customer about their data being in the hands of criminals and/or otherwise outside of BA’s control (7.45, p73)

The ICO did not accept these points. The ICO also did not comment on:

“BA’s assertions that “claimant law firms will, for entirely self-serving purposes, use the word “distress” very liberally, essentially with the aim of garnering thousands of potential claimants on no­win-no-fee agreement…” The Commissioner applies that term in accordance with the legislation, when the  circumstances under consideration warrant it.” (7.12c, p64)

The reputational impact of making such statements public will be difficult to quantify, but need to be considered by all organisations.

[1] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/04/data-protection-practitioners-conference-2019/

Join our webinar on THU, NOV 19, 202010:00 AM – 10:45 AM GMT to find out how the BA fine will affect your business.