Journal of Business Continuity & Emergency Planning: December Editorial
By Lyndon Bird
Chief Knowledge Officer
In the previous editorial I focused some attention on the situation facing Boeing following the two fatal crashes to their aircraft. I discussed the danger of regulators and companies becoming too close and emphasized the need for an “arms-length” relationship.
Since that was written another issue involving regulators and a major company in the aviation sector has emerged. However on this occasion there is no question of a comfortable relationship between regulator and company. In fact, the record penalty imposed on British Airways for a serious data breach of its customer payment records has shocked the entire global business community. It has removed any complacency that business might have had about their risks and liabilities if they fail to take information security seriously. It has also allayed fears that the General Data Protection Regulation (GDPR) might lack any real substance.
I, for one, expected early penalties for corporate information security breaches to be modest. I assumed that firms would have time to comply and the real purpose of the regulation was to achieve a cultural change. It appears that the ICO (Information Commissioners Office) had other ideas. The maximum permitted fine on a company for a data breach prior to GDPR was £500,000 and this was only imposed rarely, most famously on Facebook for their sharing of personal data with Cambridge Analytica. The fine on British Airways of £183m for last year’s breach of its security systems has caused a total re-think of traditional assumptions.
Firstly the fine is 366 times bigger than the previous maximum. Secondly the ICO seems to not accept any conventional justification for the breach. They accept that the airline had followed correct procedures in reporting the breach as required by GDPR. They also confirmed that the company had fully co-operated with its investigation and made improvements to its security arrangements. They even agreed that British Airways had apologised immediately and put in place measures to compensate anyone damaged by the incident. In other words from the airlines perspective “we made an error but we handled it well, no individual suffered and it will not happen again, what more could we have done?”
Clearly the commission does not buy that argument. In fact it signaled that this is just a taste of what is to come. They fined British Airways 1.5% of its global turnover but it could have been 4%. They demonstrated this was not an isolated case, almost immediately announcing a fine of £99.2m on the US owned Marriott Group. This was for data breaches from 2014 but only reported in 2018. Even more problematic was that the breaches were actually at the Starwood Hotel Group before being purchased by Marriott. The ICO said “Marriott had failed to properly review Starwood’s data practices and should have done more to secure its systems. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
It appears that according to the ICO there are no mitigating circumstances. Suddenly information security will be high on the due diligence agenda for every potential Merger and Acquisition.
At least with the British Airlines case we have a clear understanding of what happened. Users of their website were diverted to a fraudulent site and details of around half a million individuals were collected. The information included names, email addresses, and credit card details. The airline claims that they were victims of a sophisticated cyber attack, which had also been successfully perpetrated on other companies. The breach was actually in 3rd party software used by the company, it was not even their own code that was compromised
It seems as if this ruling will be an unwelcomed new reality for all businesses. Timely reporting of an event, cooperating with authorities, making changes immediately, ensuring no-one suffers any financial loss, not owning the business when the incident occurred, faults in a 3rd party product, being a victim of crime are apparently no defense. This is unlikely to end here as the combative Willie Walsh, Chairman of the BA parent group warned a vigorous appeal is underway. At the time of writing we have no idea of how successful that will be but regardless of the final outcome this ruling has probably changed our perception of information security for ever.
Suddenly all types of business are at risk. British Airways and Marriott can probably cope with large fines but it would be a very different situation for a small firm fined up to 4% of its turnover. Such a fine, together with loss of customer confidence and reputational damage would probably be the end of the company. We no longer just have to prepare against natural disasters, human errors, technical faults and a host of emerging cyber risks – we might fail just because of regulatory non-compliance.
Journal of Business Continuity & Emergency Planning is the world’s leading journal on disaster recovery and emergency planning – publishing peer-reviewed articles and case studies written by and for heads of emergency, risk and resilience management. DRI International Certified Professionals in good standing receive a special 15% discount on subscriptions which includes both print and online versions. To subscribe now, simply click the link below.
https://www.henrystewartpublications.com/subscription/jbcep. To receive your discount please quote code DRI015
ABOUT THE JOURNAL: