BA ICO fine - How record fine might affect data protection liability in future
October 2020 by Paul Cahill, data breach solicitor at Fletchers Data Claims
Following the news that the ICO has issued British Airways with a £20m fine - the largest it has handed out to date - for failing to protect its customers’ personal data in a previous cyber-attack, an expert comment from Paul Cahill, data breach solicitor at Fletchers Data Claims, outlining how this ruling might affect data breach liabilities moving forwards.
“Whilst it might seem that BA has had a lucky escape here – with the original notice from the ICO suggesting a fine of £183.9 million – the ICO’s decision is likely to have large companies reviewing their data security arrangements and seeking to strengthen their protection against cyber-attacks.
“The ICO has decided that despite the fact that the data breach was not intentional or deliberate, BA was responsible for the breach of GDPR as a result of its failure to take ‘appropriate steps’ to secure its customers’ personal data. This decision shows that whilst the ICO does accept that the attack on BA’s systems was malicious, there were clear measures that could have been taken to protect customer data from such an attack.
“The decision suggests that companies cannot simply point to their security measures and suggest that they have tried to prevent an attack, but instead need to show that they regularly review and update their procedures, and could not have reasonably been expected to prevent the attack being successful.”