On July 8, 2019, the UK Information Commissioner’s Office (ICO) announced its intention to fine British Airways GBP 183.39 million over a data breach in which the personal data of approximately 500,000 customers was compromised. If made final, the fine—equivalent to approximately U.S. $230 million—would be the biggest fine ever issued by the ICO as well as any Supervisory Authority (SA) in the European Union.
Since the EU General Data Protection Regulation (GDPR) became applicable on May 25, 2018, more than 55 sanctions for data protection violations have been issued, with fines up to EUR 50 million. The proposed ICO fine highlights SAs’ determination to focus in particular on data security and data breach management.
In this article we discuss the proposed ICO fine, and some other recent decisions that clarify expectations of SAs with regard to data security and data breach management practices.
Appropriate Data Security Measures
The GDPR requires organizations to implement appropriate information security measures when processing personal data. In the case of British Airways, the ICO described the security arrangements of the company as “poor” (and hence inappropriate) as they did not prevent user traffic from being diverted to a fraudulent website.
The GDPR includes criteria to evaluate in determining whether specific data security practices are “appropriate” including the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, and the risks for individuals if their data is subject to unauthorized access. Although the GDPR does not provide a list of specific information security measures that organizations must implement, several SAs have issued recent decisions that provide useful insight:
- Security of passwords. The Italian SA recently imposed a fine of EUR 50,000 on a service provider running different websites on behalf of a political movement for failure to implement appropriate data security measures, including failure to implement strong security for the use and storage of passwords. Likewise, the SA of the German state of Baden-Wuerttemberg found that a social media service violated its duty to ensure data security by storing the passwords of its users in clear text, without applying any pseudonymization or encryption. The SA, taking into account the company’s significant investment in updating its IT security measures, imposed a relatively low fine of EUR 20,000.
- Restricting access to authorized individuals. The French SA imposed a EUR 400,000 fine on a real estate company for not restricting access to documents provided by rental candidates. As a result, documents sent by applicants were freely accessible online by slightly modifying the URL in the browser. The SA determined that the company should have required prior authentication to access the documents, thus limiting access to authorized individuals only.
- Single-factor authentication is insufficient for online access to sensitive data. The Dutch SA determined that online access to sensitive data, such as employees’ medical information, requires more than single-factor authentication. It ordered the government agency concerned to implement appropriate security mechanisms on penalty of payment of EUR 150,000 per month (up to a maximum of EUR 900,000).
- Data minimization. The Lithuanian SA issued a EUR 61,500 fine for failure to notify the SA of a breach involving more than 9,000 screenshots of banking transactions made publicly available online. The SA found that the e-payment service provider collected more personal data than necessary since it kept detailed financial information alongside each payment, which was not necessary to process the transactions.
- Effective logging system. The Italian SA found that the abovementioned service provider had failed to implement an appropriate logging system for the activities of its IT staff on the company’s platform. Also, the Portuguese SA imposed a EUR 400,000 fine on a hospital, among other things for absence of regular checks of the hospital’s file access control system.
- Various IT responsibilities should not be centralized with a single employee. In the above Lithuanian case, the SA also incidentally found that, if a single employee is responsible for the installation, maintenance, and management of the IT infrastructure, he or she cannot ensure alone an adequate protection against IT security threats.
Cooperation and Mitigation in Case of a Breach
Since May 2018, more than 89,000 data breaches have been reported to SAs in the EU. When reporting a breach, an organization should ensure they cooperate with the competent SA and adequately mitigate the risks resulting from the breach.
- Failure to remediate a data security breach can lead to a fine. The Polish SA imposed a fine of EUR 13,000 on a sport association for failure to implement mitigating measures following a breach. The association had reported the breach, but failed to ensure the information concerned would no longer be available online.
- Remediation measures should be implemented timely. A telecom operator that had notified the French SA of a data breach was sanctioned for its late implementation of risk-mitigating measures, taken more than two years after the breach.
- Cooperation can reduce fines. In the above mentioned German case, the organization’s cooperation with the SA and the range of enhanced security measures it put in place following the breach appears to have kept its fine relatively low.
In the case of the British Airways breach, the ICO stated that the company “cooperated with the ICO,” and “made improvements to its security arrangements.” Given the size of the proposed penalty, it remains to be seen if and how these factors affected the fine for British Airways, once the ICO publishes its final findings and sanction.
The above decisions and, in particular, the massive fine announced by the ICO, demonstrate that SAs are not hesitant to impose fines for data security violations. This even applies in scenarios where companies are the victim of a cyberattack or hack as was the case with British Airways. In this context, organizations are advised to:
- periodically verify whether their data security and data breach management practices are aligned with standards set out by evolving case law, SA guidance, and best practices.
- assess their liability exposure with regard to data security. Under the GDPR, a controller and a processor can each be held liable for failure to ensure appropriate data security measures. Thus, organizations should ensure that they vendors they contract with provide appropriate data security. Ultimately, the allocation of liability will depend on the circumstances of the case. For instance, in the above Italian case, the SA recognized the liability of the processor that provided the platform affected by the breach. The SA did not hold the controller (i.e., the user of the platform) liable for the security shortcomings.
- cooperate with their lead SA. In accordance with the GDPR’s “one-stop shop” mechanism, the lead SA will typically investigate a cross-border data breach on behalf of SAs in other EU countries. Good cooperation with the lead SA could limit an organization’s exposure to fines.
Alexandre Lépine, a WSGR litigation intern, contributed to this article.
 See the Statement from the UK SA.
 See the Decision from the Italian SA (in Italian).
 See the Decision from the Baden-Wuerttemberg SA (in German).
 See the Decision from the French SA (in French).
 See the Decision from the Dutch SA (in Dutch).
 See this Infographic GDPR in numbers 2019.
 See the Decision from the Polish SA (in Polish).
 See the Statement from the UK SA.