What do directors need to know?

The corporate governance equivalent happened to British Airways yesterday when the Information Commissioner’s Office (ICO) announced that they intended to fine them an unprecedented £183 million for a serious breach of data protection law. 

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. 

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”. 

She could also have added: “And if they don’t my office will visit the wrath of Jehovah himself upon them.” 

It’s the first action they’ve taken since the General Data Protection Regulation (GDPR) came into effect from May 2018 and looks designed to warn every other transgressor that the regulator has teeth and isn’t afraid to use them. 

The fine is approx. 1.5% of BA’s global turnover but as the previous maximum fine limit for GDPR infringement was only £500,000, the punishment has to stick. Facebook was fined that amount for the Cambridge Analytica scandal and no observer could reasonably concede that it fitted the crime. 

The new upper limit is 20 million euros or 4% of global turnover, whichever is greater – in BA’s case that could be up to £500 million so it might even be argued that they’ve got away lightly. 

The fine was for a cyber security incident in 2018 which saw 500,000 BA passengers’ names, addresses and payment details being compromised. Under data protection law there must be appropriate measures put in place to keep the personal data of individuals secure, the ICO said that BA had failed to protect the data from being stolen. 

Not just British Airways

An important legal caveat to note is that the fine is not automatic, the ICO has only issued a notice of intent to levy the fine at this point and gives the organisation a chance to make final representation to attempt to mitigate the size of the punishment. 

To underline the ICO’s newly discovered tough streak, they are intending to fine Marriott International hotel group £99.2 million for a data breach from their Starwood subsidiary in 2014 that saw 30 million guest records exposed.  

The news will be a fillip to the Treasury which receives the money although the ICO is considering ringfencing a proportion of future income to set aside to fight legal challenges from other companies who may challenge the decisions. 

Needless to say, IT directors and managers of every business in the UK, regardless of size, will be rereading their security protocols and running security tests today as a result as none of them would like to explain to their board why they could be the ICO’s next victim. 

Data and IT security should be paramount for your business as breaches could not only mean a loss of your customers data but also your own intellectual property, data and even access to your bank accounts or your online identity. 

A US report found that 60% of small and medium sized businesses that were victims of a successful cyberattack went out of business within six months. It’s that serious. 

Now we can’t help you if your business has been virtually or actually compromised but we can advise you on how to plot a way back financially from a devastating blow. 
Contact us today to arrange a consultation with one of our expert advisers. They can run through the options you have right now that could make the important difference between saying you have a business and you had a business.