British Airways and its parent International Airlines Group (IAG) have been fined £183.39 million by the ICO in connection with a data breach that took place last year and affected 500,000 customers who were browsing and booking tickets online. The ICO said that it found “a variety of information was compromised by poor security arrangements, including log in, payment card, and travel booking details as well name and address information.”
The fine — 1.5% of BA’s total revenues for the year that ended December 31, 2018 — is the highest-ever that the ICO has levelled at a company over a data breach. If you are a shocked and worried business owner, you are not alone. The power of the ICO is real, and the fines they levy can be profit-shattering (shares of IAG are down 1.5% at the moment).
There are two points to make about this highly publicised data breach and subsequent punishment. The first is, the system is working. BA is at fault here. For a company of its size, with so much personal data, they should have been much quicker to find and stop the malware that led to their data breach. In this instance, even though customer details weren't used on BA's own site (to buy tickets), they were harvested by the malicious hackers. And while no company can necessarily ensure their IT security is impenetrable, every company can follow the rules when it comes to reporting such a breach. BA learned of the breach last June, but only informed the ICO in September. This kind of lag is deemed unacceptable by the ICO when it comes to a breach of this magnitude.
Which brings me to the second point, if you think the rules don't apply to you, or that you are a small minnow and the ICO has bigger fish to catch, think again. In the first year of GDPR, there were 206,326 cases reported from supervisory authorities in the 31 countries in the European Economic Area, and there were €55.96m of fines, although €50m of that was Google.
How do you stay off the ICO's radar? Start by doing these 5 things:
1) If you haven't already, appoint a Data Protection Officer and task them with ensuring that you ARE compliant. They will need to ensure you have a Data Protection policy in place and the right processes for dealing with a data breach.
2) Automate the to-do list if there is a data breach. Often when there is a crisis, people's attention is diverted and things that are supposed to happen, don't. Rather than have 5 different people have to remember what they are supposed to do if there is a data breach, have one person trigger a 'Data breach alert' which can be as simple as setting up some automated emails that go to the different responsible parties, clearly spelling out what they need to do.
3) Invest in IT systems you can trust. We live in new world. Cybercrime is not going down, so this is not an area you want to try to find your cost savings.
4) Remember phone conversations count as personal data. Companies that record calls must remember that these recordings are personal data, and they are not allowed to record calls without informing the individual first. Companies also need to offer an alternative way they can be reached (another number for example) if callers do not want their calls to be recorded.
5) Review your data policies & processes more often than annually. A year is a long time in the business world. You may implement new software, hire new people, or do any number of things that will require you to rethink your privacy policies.
The ICO is not your enemy, they are your advocate as a individual. And the GDPR is not just a major headache, it is an instigator of change that we all must get use to in a world where business battles are increasingly fought in cyberspace instead of the marketplace. Stay off the ICO's radar by following the rules. Everyone will benefit.
About VTSL
VTSL offer the full suite of cutting edge communications solutions for your business -- from private fibre networks, to business-grade WiFi to call recording and cloud-based business VoIP telephony. As pioneers of IP telephony services and over 10 years of experience implementing unified communications solutions, it is no wonder why VTSL is an award-winning telecoms provider year after year. For more information on how to future-proof your office with the latest tech, speak to one of our experts today. Call 020 7078 3200 or email us at info@vtsl.net.