Not many law firms need to worry about a fine of £183 million, as most don’t have the turnover British Airways has.
However, in the wake of the Information Commissioner’s Office (ICO) announcing that they intend to fine British Airways £183.39 million for a data breach, what can all solicitors and law firms learn from this case?
GDPR specialist barrister Orlagh Kelly explains. (30 July 2019)
Facts of the case
In September 2018, users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, including log-in details, payment card details, and travel details, as well as names and addresses. The stolen data did not include travel or passport details.
The incident was first disclosed on 6th September 2018, approximately 15 weeks after GDPR came into effect. The penalty imposed on British Airways is the first one to be made public by the ICO since the introduction of GDPR, which makes it mandatory for businesses to report data security breaches to the ICO within 72 hours.
1. Being the victim of a crime is not a defence.
British Airways were actively targeted by sophisticated cyber criminals and were essentially the victim of a crime. Your law firm website or your case management system could be targeted in the same way, or you could simply have your laptop stolen from your home.
Regardless of your ‘victim’ status, the ICO will fine you if they believe you didn’t take adequate security measures to protect personal information.
2. Law Firms are more vulnerable to fines than British Airways.
The information breached by British Airways was limited to log in details, payment card details and travel details, as well as names and addresses. None of this information falls into ‘special category’ data, which is what the ICO usually come down hardest on and which we look at as ‘high risk’ information. Special categories include information pertaining to the health, sex life, political, religious or ethnic backgrounds of individuals.
Law firms who practice in the areas of family, crime, employment or civil litigation will of course handle special category data on a daily basis. To this end, solicitors and their administrative staff routinely handle much higher risk information. Even one brief going missing with that type of information will cause the ICO to act.
3. No-one needs to get hurt.
British Airways stated at the time of the breach there was no evidence that any of the information stolen had led to fraudulent activity. What they were really saying is ‘no-one was hurt’, in the hope this would mean no penalty for them.
That’s not how the ICO works - as far as they are concerned, if you lose control of the information, that’s enough for them to fine you.
This could be something as simple as sending a social work report to the wrong address or leaving your case file in Court. The ICO does not have to prove that the owners of the information suffered any kind of loss; something that goes against the grain for solicitors used to calculating damages in cases based on an actual loss suffered by the victim.
The Commissioner herself commented:
“… the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
4. Lawyers are profiting from the British Airways fine.
Speaking of individuals suffering a loss, a number of law firms have been aggressively advertising they can get compensation for the ‘victims’ of the British Airways data breach, so the fine may be only one of the financial blows that British Airway are facing this year. I guess this means a new area of practice opening up, for those that are interested.
For everyone else, this just means that lawyers are signalling to members of the public that they can profit from data breaches – which now means it’s not just the ICO businesses need to worry about, it’s the man on the street pondering the opportunity for a quick compensation claim. Could it be the new whiplash claim?
5. Fixing things afterwards doesn’t get you out of a fine.
It seems that British Airways became aware of the breach within less than two weeks, and that they have taken significant steps to fix the weakness which allowed the hacker to exploit their systems.
But this hasn’t prevented a massive fine, the worldwide publicity and a significant dip in their share valuation.
For law firms, this could mean significant damage to your reputation, your ability to keep clients or get new clients, and your cash flow. In turn, this could lead to job losses or even closure of your firm.
There’s little point mending the gate after the horse has bolted - you need to constantly watch out for risks in your practice, and make sure you fix them before something goes wrong. Regular staff training and both internal and external audits are two ways in which you can take steps to safeguard your firm against data breaches.
One thing is clear - the ICO has moved the game to another level. After 14 months of criticism for ‘doing nothing’, they’ve come out with the gloves off.
See also:
- GDPR for law firms – practical steps to GDPR compliance.
- ICO infographic on legal sector data incidents – a still-useful infographic summarising incidents reported to the ICO in 2015/16