A Huge Data Breach Fine Against British Airways Is a Warning to Global Execs
Ever since sweeping new data privacy rules took effect in Europe last year, business leaders and privacy advocates alike having been watching and waiting to see which unfortunate business would be the first hit with the massively enhanced fines—up to 4% of global revenues—the law now allows.
Well, on Monday, we all got the answer: Britain's top data cop proposed fining British Airways 183 million pounds for losing about 500,000 customers' data during a breach in August. The fine is equivalent to 1.5% of BA's worldwide revenue in 2017, or about 4 pounds for every passenger the airline is expected to fly this year.
If the same breach had occurred before May 2018, when the old law was still in effect, the maximum fine the British data regulator could have handed out was just 500,000 pounds.
'Surprised and disappointed'
The U.K. Information Commissioner's office said its investigation had revealed that "a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information."
Alex Cruz, BA's chairman and CEO, said in a statement that he was "surprised and disappointed" by the proposed penalty and the airline had "responded quickly to the criminal act to steal customers' data." He noted BA had so far found no evidence the compromised accounts had been linked to fraudulent activity. Meanwhile, Willie Walsh, CEO of IAG, the airline's parent company, said the company would appeal the fine.
The ICO said BA will be able to present additional material to regulators before the penalty is finalized and the company can challenge the decision in court too. The amount BA ultimately winds up paying may be less.
But Elizabeth Denham, the Britain's data privacy regulator, made it clear in a statement that she was trying to send a message with the massive proposed charge. "The law is clear—when you are entrusted with personal data you must look after it," she said. "Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
There will no doubt be plenty of CEOs, CFOs and general counsels around the world taking a big gulp. For one thing, the new European law, the General Data Protection Regulation, applies not to just businesses based in the European Union—it covers any business that holds the data of EU citizens, including any customers or employees. That means most of the world's largest companies—and many not-so-big firms—must abide by it.
Many executives and legal advisors have also assumed EU lawmakers gave the privacy law such draconian potential penalties largely to serve as a deterrent to the giant American technology companies for whom the old maximum penalties were clearly insufficient.
For instance, the ICO could only fine Facebook 500,000 pounds—a penalty it handed down in October—for the social network's role in the Cambridge Analytica scandal because those violations took place before GDPR came into effect. That case involved Facebook illegally allowing a researcher to access more than 87 million customers' information over a period of years— and then failing to publicly disclose what had happened even after it became aware of the violation. More recently, Italian regulators gave the company a $1.1 million fine for the same case. Taken together, those two fines are equivalent to what Facebook earned every 12 minutes last year.
The BA fine, however, shows that European regulators are quite willing to use their powerful new weapons against domestic firms too. What's more, many executives may have complacently believed they would only face the law's eye-watering maximum penalties for exceptionally egregious violations.
The significance of the ICO penalty "should not be underestimated," Eduardo Ustaran, a lawyer specializing in privacy and cybersecurity issues at the firm Hogan Lovells, said. "It already sets a very high bar in terms of the regulator’s expectations of what amounts to appropriate security."
In BA's case, the airline did lose a fairly large number of records—although 500,000 people is less than 2% of the airline's annual passenger total. The company reported the breach itself in September, almost as soon as it became aware of the problem, and it took immediate action to mitigate the damage. BA may have been hurt, however, by its failure to quickly get a handle on the true size of the breach: after initially saying 380,000 customers had been affected, it revised that figure upwards by an additional 180,000 accounts the following month.
With the large fine, Europe's regulators are clearly throwing down a gauntlet to major corporations: the era of "routine" data breaches is over. Any sizable personal data loss won't just inconvenience your customers—it will pick your shareholders' pockets too.
More must-read stories from Fortune:
—Switzerland’s stock-trading standoff with the EU provides a glimpse of life after Brexit
—The Bahrain Conference: What the experts and the media missed
—Ford’s new plan for Europe: Fewer jobs, more SUVs
—Listen to our new audio briefing, Fortune 500 Daily
Catch up with Data Sheet, Fortune's daily digest on the business of tech.