Time to take data security seriously?
The news of British Airways’ massive data breaches and the equally massive fines from the ICO are a clear sign of what is to come for businesses in the UK. BA however appears to think that these are not bad breaches, for reasons which do not seem apparent to anyone looking in from the outside.
“People’s personal data is just that – personal,” said the information commissioner, Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
I suspect that BA is feeling a lot like the victim here: with firstly the criminal theft of the data and now a massive fine for having had the data stolen, I suppose that it is easy enough to see why. The way that the ICO looks at it is somewhat different though. The Data Protection Act 2018, which brought the dreaded GDPR into UK law, is pretty clear on who owns “personally identifiable information” (PII): it is owned by the data subjects – the very people that the data is about. If we now look at the BA case with this in mind, BA was entrusted by half a million people with their data, trusted to take good care of it and to only use it in ways that were expected by those people.
Unfortunately, BA had “poor security arrangements” according to the ICO. In short BA had failed to take proper care of data belonging to its clients. Given the nature of the data taken, the likely results of the theft on the data subjects and the sheer number of them effected, the fine makes a lot of sense.
Although it will be of little consolation to BA, it could have been a lot worse. Article 5 of the GDPR contains the term, “…processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing…” This means that when BA had this data stolen, it was in breach of article 5, which puts it into the higher band of fines. The fine it got was 1.5% of its global turnover but it could have been anything up to 4%! That means that the £183 million fine could have been £488 million, which would be enough to make anybody’s eyes water!
What does this mean to other UK businesses? The message clear: make sure that your data is very secure. Just having some haphazard antivirus on the PCs on your network is negligent, you should investigate using superior products such as Heimdal, maybe a managed firewall too. The other side of the coin is that you have to have your staff trained to spot threats such as phishing emails and social engineering. If you fail on either of these, and you get hacked, then you can probably expect a big fine. Maybe not £183 million sort of big, but enough to be “effective, proportionate and dissuasive”, in the words of the ICO…
To find out more about how to make your business secure please email firstname.lastname@example.org or call 020 3358 0090 to be put in touch a specialist in this field.