BA’s massive cyber fine sends out a clear signal, but does it drive home a point?

The UK’s Information Commissioner’s Office (ICO) intends to levy a record fine of GBP 183 million (US$ 230 million) on British Airways (BA) for a data breach that occurred last year, which compromised the data up to 500,000 customers. The sanction is a bold expression of the sweeping new powers assumed by cyber watchdogs across Europe as a result of the enactment of the General Data Protection Regulation (GDPR) last May.

The ICO claimed a variety of information held by BA was compromised by poor security arrangements at the company, and the penalty imposed on the airline is the first to be made public since GDPR rules were introduced, which have made it mandatory to report data security breaches to the information commissioner.

GDPR also increased the maximum penalty to 4% of turnover, with the BA sanction amounting to 1.5% of the company’s worldwide turnover in 2017. BA has 28 days in which to appeal the ruling.

At its core, the spirit of GDPR is to place a greater emphasis on maintaining the highest levels of integrity possible for personal digital information – be it data at rest, in motion, or in use – at a time of exponential growth in digital connectivity. Organisations that do not comply are at risk of receiving a severe sanction, as being suffered by BA, while also contemplating the possibility of even greater reputational or litigation costs.

What GDPR aims to prompt is for organisations to take a hard look at their business practices and make significant investments in their resources, structures and policies to ensure that they are able to prevent, detect, respond, and quickly recover from attempts to compromise their digital systems.

The “big stick” approach to regulation has its place, though it should also be on lawmakers’ minds that not every breach will be a direct result of negligence or “poor security arrangements”, and as such a wider consideration ought to be given to both the publication of the circumstances around a breach or attempted breach, as well as its counters and remedies.

Awareness campaigns and the explanation of the prongs of a proactive cyber resilience plan should also be communicated on an ongoing basis, with incentives being real and significant for organisations that operate for defined periods of time without falling victim to a cyber incident resulting in loss.