BA’s massive GDPR fine is a wake-up call for US businesses

British Airways has just been fined a record £183m by UK regulator the Information Commissioner’s Office (ICO). The penalty, under the EU’s General Data Protection Regulation (GDPR) legislation, comes after the carrier failed to properly secure customer data, resulting in one of the most serious data breaches of that year. Although a European company, BA is a multi-national with customers all over the world. As such, US firms should pay close attention to this case.

Senior business leaders must now understand that data protection, privacy and cybersecurity are critical business issues that must be addressed. With the prospect of massive fines, the old excuses will no longer wash.

What happened?

The massive financial penalty was levied by the ICO due to “poor security arrangements” by BA which led to a breach of personal data on around 500,000 customers. The information stolen apparently included log-in, payment card, and travel booking details as well as name and address details.

The breach itself happened when BA was targeted by a notorious piece of malicious JavaScript inserted into its payment pages to harvest data when passengers came to pay and enter their details. Known as Magecart, these types of attack have affected thousands of ecommerce businesses over the past few years and are ongoing today.

What is the GDPR?

BA has claimed no customers have had their data used in follow-up fraud and other attacks, and will likely dispute the size of the penalty. However, whatever happens, it’s clear the gloves are now off when it comes to GDPR fines. After a “phony war” of several months where nothing happened following the introduction of the new law in May 2018, regulators are now flexing their muscles.

The GDPR was designed with two aims front-and-foremost: to boost users’ rights over how their information is used by third parties, and to improve transparency and accountability on the part of those companies.

The Information Commissioner’s comments on the BA case highlight this perfectly:

People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.

What’s in the GDPR?

It’s a long and sprawling piece of legislation. But key elements for US firms to remember are:

• It applies to all organizations worldwide as long as they process the information on EU citizens
• Breached firms have 72 hours after discovery to notify regulators
• Fines can rise to 4% of global annual turnover, or €20m, whichever is higher
• Consumers have new rights to demand if firms are processing data on them, to request that it is erased, and to have it transmitted to them or a new provider
• Companies must adopt a privacy-by-design approach when designing new products and services, building security and data protection in from the start

Time to get serious

Historically, US firms have been slow to appreciate the importance of the GDPR, perhaps stemming from confusion over whether it applies outside the EU or not. It most certainly does. Google was the last big-name firm to be hit with a major fine when it was served with a €50m penalty.

Data collected in October 2018, seven months before the GDPR came into force, found that 61% of US firms had yet to start compliance processes. With the honeymoon period apparently over, it’s more important than ever that firms get their GDPR house in order.

How do I comply?

The difficulty with the GDPR is that it refuses to detail specific technologies that could help organizations with compliance. This is understandable: it would quickly make the legislation out-of-date as new technologies evolve. However, from a security standpoint, there are a few things you can do to start the process. These include:

• Carrying out a full data audit. Understand what data you hold and classify according to which information is GDPR-regulated and high risk
• Mapping appropriate security controls to ensure the data is properly secured. Encryption and anonymizing tools are mentioned by name in the GDPR
• Auditing the supply chain and updating contracts to ensure the data is protected by partners: you will both be held accountable in the event of a breach
• Understanding the rules for transferring data to jurisdictions outside the EU
• Appointing a Data Protection Officer (DPO) if relevant
• Looking to frameworks like NIST to help with best practice security

A new opportunity

Although complicated, GDPR compliance will be a benefit to your organization in the long run. Regulators know that there’s no such thing as 100% security. They’re just looking to make sure you have the best interests of your customers at heart and have taken steps to keep their data secure according to industry best practices.

With that in mind, the regulation can be a great way to:

• Reduce costs associated with security incidents, such as investigation and remediation, legal costs, and reputational damage
• Get closer to your customers by enhancing trust
• Position yourself ahead of the competition if or when similar laws come to the US, which seems increasingly likely