British Airways fined £20m over data breach

British Airways has been fined £20m ($26m) by the Information Commissioner's Office (ICO) for a data breach in June 2018 which affected more than 400,000 customers. The ICO's investigation has been much delayed and has seen its initial proposed fine of £183.39m (or roughly 1.5% of global revenue) fall dramatically. The £20m fine is approximately 0.15 % of BA's £12.26bn revenue for the relevant year.

The 114 page Penalty Notice confirms that an extensive set of representations were made by BA and also shows that the economic impact of the COVID-19 pandemic was, unsurprisingly, a very significant factor in the reduction.

Looking for the moment at a very high level through the ICO's analysis it is clear that it has been working methodically to try and cross every "t" and dot every "i" in this process. That's unsurprising, it is the ICO's first major fine under GDPR and has been closely watched and extensively challenged by BA. It is potentially a landmark decision.

The Commissioner, Elizabeth Denham, was reported in summer 2019 as suggesting that her office was looking at 12 further significant cases. One of those was its investigation of Marriott, with a similarly intended high fine announced the day after the BA announcement in summer 2019. It will be interesting to see if the ICO - having now finalised its processes - and dealt with BA, will proceed at a greater pace with those investigations.

We've written extensively about the BA investigation previously: see our recent article relating to the credibility of the ICO's processes here and the initial announcement of the intended fine here. The BA fine is also interesting in the context of the ICO's recent guidance on enforcement, see our article here.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.