One data breach. Four hundred and thirty thousand victims. A myriad of personal information and credit card data stolen. It is the kind of scenario that threatened to ground one of the world’s biggest airlines, IAG-owned British Airways (BA). But, what’s the full story?

In 2018, the UK’s British Airways made headlines when criminal elements accessed the personal details of nearly a half-million of its clients. In one instance, the hackers lured British Airways customers to a phony website and succeeded in collecting their customer data and personal information. While investigating the breach, investigators realized that a prior breach had also occurred.

This is data that should have been guarded judiciously but somehow managed to slip through the cracks. Everyone was unanimous that BA had breached the EU’s General Data Protection Regulation (GDPR).

BA’s parent company, IAG, outlined two customer groups impacted by the earlier breaches, between April and July 2018. Seventy-seven thousand individuals’ names, addresses, and payment information were compromised. The other group comprised 108,000 people whose personal details were lost, besides their credit card’s CVV number (the three or four-digit number on the back of your card, to the right of the signature box). 

Picture of the attack as captured by RiskIQ

Picture of the attack as captured by RiskIQ

Implications of the ICO’s £20 Million Fine

An initial fine by the UK’s Information Commissioner’s Office (ICO) on behalf of all EU/EEA member states was just over £183 million. In the face of Covid-19’s impact on the company, British Airways will only be indebted to the tune of £20 million. A BBC analysis noted the ICO’s initial data breach penalty was 367 times as high as Facebook’s £500,000 fine from the Cambridge Analytica scandal. Still, it would only represent 1.5 percent of British Airways’  annual turnover, per the Daily Mail.

While many call it a mere slap on the wrist and say BA’s been let off the hook, a website has already been set up and is actively able to process customer claims. Multiple law firms are marketing themselves as able to assist in claims filings as well. All of this doesn’t even take into consideration the deafening blow British Airways has received to their brand and corporate image. It remains the largest single penalty that the data regulator has ever imposed. 

Companies as Custodians of Data

Why does this lawsuit matter? Firstly, it is the largest ever class action in British legal history. The outcome might tempt BA to believe they are home free. But, this would only be true if you ignore the fact that more than 16,000 victims are also seeking compensation from the airline. Each claimant could make a case for £2,000, according to the law firm taking up the case, Pogust, Goodhead, Mousinho, Bianchini and Martins.

Data is priceless in the modern world, and companies need to be accountable for any personal information they handle on their customers’ behalf. PGMBM’s Tom Goodhead stated that “British Airways passengers feel let down by what transpired. They are well within their rights to be compensated for what was previously a trusted airline playing fast and loose with their personal information, leaving it vulnerable for nefarious hackers to take advantage of.” The firm eyes a mouthwatering 800 million pounds if every victim showed up for the claim. Individual claimants could potentially receive several thousand pounds in compensation.

Cyber attacks are increasingly common. Typical corporate defense systems appear to build 10-foot walls, whereas the bad guys have extensible ten-mile ladders. The message is clear: organizations must take the lead in securing personal data with systems even more comprehensively than they use for processing data.

Weak Data Regulation

If the British Airways fine is the final word we hear on this, we can expect companies never to make data security a priority. The driving mentality would be that it took two years to reach this conclusion in the British Airways case. Then, there’s Covid-19 – a normal in today’s world – to help make a case for arbitrarily low fines.

It’ll be excellent to point out that one of the primary ideas in Article 1 of the GDPR is that data is a fundamental right. It goes further to pinpoint the responsibility of ensuring that data protection remains a priority despite the inevitable increase in data exchange. This would also be the perfect place to highlight three objectives of the regulation, namely:

1.    This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2.    This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

3.    The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

The regulation is clear that if you process data, you’re automatically assuming the role of responsible custodian of that data. Companies cannot make light of the issue.

BA told the court in a November case management hearing that it was willing to discuss settlement with the claimants. Only sustained pressure could have made this possible.

Many such as Aman Johal, director at Your Lawyers, believe justice will happen. He stated, “Justice will be served, and the decision will send a strong message to other big corporations that they must take data protection seriously or face the financial and reputational consequences.” 

The meager BA fine could indeed spur a wave of claimants joining the collective action. It then exposes a less obvious issue, which is whether the ICO is discharging its mandate effectively. Consumer groups would have enough grounds to question if the agency is only a toothless bulldog that would pander to corporate whim for no apparent reason. Whatever their explanation, organizations will have made a mental note of their lenient formula for calculating fines.

Dissecting the Legalese

There are several takeaways from this BA decision. Articles 77-82 of the GDPR provides for EU citizens and nonprofits to approach the courts in the event of data privacy infringement. There are two primary mechanisms for this:

1.     Group litigation orders (GLOs), and
2.     Representative actions

In GLOs, individual claimants “opt in” to form a large pool and present their case using a single management framework.

On the other hand, representative actions require a lead claimant to represent the other individuals, except they choose to opt out. These different individuals must have been victims of the same harm and have gone through the same loss.

Depending on the peculiarities of the case, a company can be subject to either of these mechanisms.

According to lawyers, far-reaching penalties by a data regulator could have adverse effects on a firm’s liability to data subjects. On the other hand, it could bolster affected persons interested in a class action suit that enables them to claim compensation directly.

The one significant hurdle is that class actions or collective compensatory redress are still in their teething stages in many countries. Could this be a small advantage for defaulting companies?

The entire BA scenario certainly establishes new parameters for companies and claimants. There will be a rise in class action litigation in the UK and several other countries, forcing the companies involved to funnel liability across the contractual chain.

Companies will typically attempt to pass the buck and blame their suppliers and vendors. Also, expect legal duels over who processes and controls the data under the spotlight.

This responsibility of roping in the contractual chain will most likely fall on the companies. The reason is that data regulators are often reluctant to scrutinize third parties to hold them accountable.

Looking Toward the Future

BA’s handling of this situation is irritating to many, but the behavior is not rare by any standards. Corporate recklessness is a big part of modern culture, therefore this issue transcends the airline industry. This reason is the spine behind GDPR.

Compare this to the US Health Insurance Portability and Accountability Act (HIPAA). HIPAA offers individuals the right to know who has their medical and other health-related information. This right is in addition to the federal requirement that information in electronic form should have  security. Health insurers, health care providers, and health care clearinghouses know better than to permit the slightest semblance of tardiness with respect to client information security.

This is not to say that every industry must develop data security regulation. That may be an unrealistic expectation, considering the rapidly blurring lines between industries. The one thing we all agree on is that data is more significant today than it has ever been. Governments can take the initiative to forge catch-all laws that protect the citizen if and when a data breach occurs. Companies will not like this but they must brace up to the new reality.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.