• Login
    • Advanced search
    • Title
    • Channel
    • Module
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transport and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Blockchain
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
Hogan Lovells Engage 5.6.14
      • Title
      • Channel
      • Module
    • Hit ENTER to search in content
    • Advanced search
    • Login
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transport and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Blockchain
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
  1. News
  2. Time to take notice: ICO to impose record fine for data security breach

Time to take notice: ICO to impose record fine for data security breach

8 July 2019
    • Share by email
    • Share on
    • Twitter
    • LinkedIn
    • Get link
    • Get QR Code
    • Download
    • Print

On 8 July 2019, the UK data protection authority (Information Commissioner’s Office; ICO) issued a notice of its intention to fine British Airways (BA) GBP 183.39 million (approx. USD 229.46 million) for infringements of the General Data Protection Regulation (GDPR).

Index
  1. ICO Enforcement Implications
  2. What happens next?
  3. Right to Appeal

The proposed fine relates to a data breach in which personal data of approximately 500,000 customers were compromised. The incident (reported to the ICO in September 2018) involved user traffic to the BA website being diverted to a fraudulent site where customer details were harvested by attackers. Following an “extensive investigation,” the ICO found that customer data was compromised by “poor security arrangements at the company.”

ICO Enforcement Implications

This marks the first fine issued by the ICO resulting from a data security breach under the GDPR and will be the largest fine ever issued by the ICO. By comparison, under the previous UK data protection regime, the highest fine imposed by the ICO in relation to security breaches was GBP 500,000 (the previous statutory maximum). The proposed fine against BA therefore marks unprecedented enforcement action by the ICO and paves the way for much higher penalties under the GDPR regime.

The proposed fine serves as a reminder of the level of fines that data security breaches can attract under the GDPR. When considering data security obligations, organisations must not only consider Articles 32 – 34 GDPR (breaches of which attract potential fines of up to 10,000,000 EUR or 2% of annual worldwide turnover) but also the essential security principle under Article 5 GDPR. Where a data security breach is regarded as a breach of the security principle of the GDPR (Article 5(1)(f) GDPR), which specifically refers to protection against unauthorised or unlawful processing of data, supervisory authorities may impose fines of up to EUR 20,000,000 or up to 4% of annual worldwide turnover (whichever is the higher).

Whilst it is not clear at this stage how the ICO calculated the proposed fine, it appears that it amounts to approximately 1.5% of BA’s worldwide turnover last year. The ICO’s Regulatory Action Policy (available here) states that in deciding whether to impose a penalty and the decision as to the amount of the penalty will involve consideration of various factors including: (i) the nature, gravity and duration of the failure; (ii) the categories of personal data affected by the failure; and (iii) whether the penalty would be effective, proportionate and dissuasive. The ICO’s aim in applying penalty notices is to ensure compliance with legislation and information rights obligations and to act as an effective deterrent.

Through this enforcement action, the ICO appears to be trying to re-set the bar in terms of what is “appropriate” (and hence legally required) to meet the GDPR standards of data protection.

What happens next?

At this stage, the ICO has issued a notice of intent (NOI) to fine BA. A NOI sets out the circumstances of the breach, the findings of ICO’s investigation and the ICO’s proposed level of penalty along with a rationale for the penalty.

Following a NOI, an organisation subject to the NOI has 21 calendar days to make representations to the ICO about both the imposition and the level of the penalty.

Where appropriate, the ICO will also have regard to representations from other concerned supervisory authorities before the final penalty notice is issued. The ICO has confirmed that it will consider representations made by other “concerned data protection authorities” before it takes its final decision with respect to the BA penalty.

For penalties over the threshold of GBP 1 million, the Commissioner may also convene a panel compromising non-executive advisors to the Commissioner’s office to consider the investigation findings and any representations before making recommendations to the Commissioner in relation to the level of penalty applied.

The Commissioner makes the final decision on the level of penalty to be issued and will confirm any penalty notice in writing through a monetary penalty notice (MPN). The MPN must include the reasons for the amount of the penalty, including aggravating and mitigating factors that the ICO has taken into account. Once the MPN has been issued by the ICO, it will be clearer how the ICO arrived at its monetary penalty.

Right to Appeal

Once the ICO issues its MPN, the organisation subject to the MPN must pay the amount within the period specified in the MPN (maximum of 28 days).  An organisation subject to an MPN also has the right to appeal the penalty notice to the First Tier Tribunal within 28 days of receiving the MPN. This enforcement action against BA will likely serve as a test case as to the approach taken by the ICO to enforcement action under the new GDPR regime. If appealed, the grounds for the MPN as well as the amount of the fine are likely to be thoroughly scrutinised and the outcome of any such appeal will serve as a valuable point of reference for managing data security risks going forward.

 

Authored by Emma Hughes

Index
  1. ICO Enforcement Implications
  2. What happens next?
  3. Right to Appeal
Keywords consumer privacy, cybersecurity, data breach, data protection, enforcement, EU General Data Protection Regulation, fines, GDPR, ICO, personal data, privacy, UK, UK data protection authority
Languages English
Topics Privacy, Cybersecurity
Countries United Kingdom
Delete Comment ?

Are you sure want to delete comment ?

Get link
Embed
Share by email
Get QR Code

Scan this QR Code to share this content