British Airways is facing a record fine of £183 million following a “sophisticated, malicious” cyber attack last year that compromised the personal details of around 500,000 customers.
The Information Commissioner’s Office (ICO) imposed the penalty for non-compliance with new General Data Protection Regulation (GDPR) rules, although some had expected a more lenient ruling.
GDPR allows for a maximum penalty of 4% of a company’s annual turnover, meaning British Airways could have faced a fine approaching £500 million for the incident.
At present, it is unclear whether British Airways’ owner IAG will shoulder the full costs itself or whether it will be able to offload some of the damage via its re/insurance coverage.
The legality of insuring GDPR fines remains a grey area in the UK, with fines for criminal or quasi-criminal conduct excluded for public policy reasons.
The ICO, however, has not yet specified if insurance coverage is ruled out on its fines, meaning incidents are generally being treated on a case by case basis.
A spokesperson for the ICO told Out-Law.com last year that there was “nothing in the GDPR which either permits or prohibits” insurance coverage for regulatory fines.
Re/insurance broker Marsh, the other hand, argued in a recent report that most cyber policies currently in place are “unlikely to provide financial compensation” for fines related to GDPR non-compliance.
Similarly, a report by Aon and global law firm DLA Piper last year concluded that fines would not typically be insurable in the majority of European Union (EU) countries.
While British Airways may not be protected against the cost of the fine itself, it could potentially recover other costs related to GDPR compliance, such as forensics, breach notification, breach support services, legal liability to pay damages to impacted data subjects, and defending legal and/or regulatory actions.
In January, the Global Federation of Insurance Associations (GFIA) called on the Organisation for Economic Cooperation and Development (OECD) to provide clarity on the insurability of GDPR fines, which it said were causing “international confusion.”
The OECD responded to say it would look at the issue in the near future, although the ICO has previously been dismissive of the need to address these concerns.
“Our view is that a focus on insurance rather misses the point,” the ICO said last year, adding that “organisations should be looking to recognise the benefits of good information rights practice to efficiency, reputation and competitive edge.”
British Airways said that it was “surprised and disappointed” at the £183 million penalty from the ICO, which represented 1.5% of the company’s global turnover in 2017.
“British Airways responded quickly to a criminal act to steal customers’ data,” said Chairman and Chief Executive Alex Cruz. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
Willie Walsh, Chief Executive of IAG, added that the company would be making representations to the ICO in relation to the fine.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.
Until now, the biggest penalty imposed on a company for a data security beach was the £500,000 fine Facebook was dealt for its role in the Cambridge Analytica data scandal, which was the maximum amount allowed under the old data protection rules.