On 29 January 2021, the Kemp Little team joined Deloitte Legal. Click here to view the press release.

As of 30 January 2021, Kemp Little LLP ceased to operate as a firm of solicitors and practice law and ceased to be regulated and authorised by the Solicitors Regulation Authority.

Kemp Little LLP has been re-named KL Heritage LLP.

If you are looking to contact a specific individual to seek legal advice or in respect of any other business relationship, please contact Deloitte Legal.

If you are seeking to contact the old Kemp Little LLP in relation to a previous business relationship or matter, please get in touch with KL Heritage LLP.

For enquiries relating to Kemp Little technology products and training portal, please email deloittelegal@deloitte.co.uk

 


 

Kemp Little is a trade name used under licence by KL Heritage LLP (formerly Kemp Little LLP, registered number OC300242 and VAT number 182 8854 65).

On 29 January 2021, the Kemp Little team joined Deloitte Legal.  As of 30 January 2021, Kemp Little ceased to operate as a firm of solicitors and practice law. From this date Kemp Little ceased to be authorised and regulated by the Solicitors Regulation Authority and is being re-named KL Heritage LLP.

All references to Kemp Little herein are references to KL Heritage LLP, which used to carry on business in that name.

KL Heritage LLP is not connected to or associated with Deloitte Legal or Deloitte LLP in any capacity.

 

Kemp Little
  • Looking for someone?
  • Email us
  • Search
MENU MENU
Insights overview

Data protection & privacy · 8 July 2019 · Anita Bapat · Emma Wright · Aneka Chapaneri

UK data protection regulator issues £183m fine to British Airways for data breach

“When an organisation fails to protect [personal data] from loss, damage or theft it is more than an inconvenience.” (the Information Commissioner’s Office). The Information… Read more

more content below

“When an organisation fails to protect [personal data] from loss, damage or theft it is more than an inconvenience.” (the Information Commissioner’s Office).

The Information Commissioner’s Office (the “ICO”) has announced its intention this morning to fine British Airways (“BA”) a record-high £183.39m for the UK airline’s data breach which occurred in June 2018.

Data breach

Cyber attackers successfully gathered BA customers’ details through a false site which intercepted the airline’s own website. The ICO’s investigation revealed that names, addresses, log in details, payment card information (including CVV codes) and travel booking details of approximately 500,000 BA customers were compromised during the incident. BA’s CEO and Chairman Alex Cruz described it as a ‘malicious criminal attack.’

At the time of the breach BA offered to i) reimburse for financial losses; ii) provide a credit checking service and iii) pay compensation for inconvenience and expense although it is unclear to what extent these were offered to affected individuals as a matter of course.  BA was also praised as handling the communications around the data breach relatively successfully – although the bar had been set at a relatively low level by previous breaches – and there were still many complaints from those affected.

In particular, the ICO has criticised BA’s “poor security arrangements” which led to the data breach – with no mention in the ICO’s press release of a ‘malicious criminal attack’. One of the key data principles under the General Data Protection Regime (“GDPR”) is the security principle which requires organisations to have appropriate security measures in place to protect the personal data that the organisation holds. Importantly, under the new principle of accountability under the GDPR, organisations are required to actually demonstrate that they are implementing these security measures in practice. As cybersecurity evolves, then organisations also need to regularly review the security measures on their digital estate,

Record-high fine

This is the first fine that the ICO has issued under the GDPR, which came into force in May last year. Under the new legal regime, the ICO has the power to issue a fine of up to 4% of the company’s annual turnover for the previous year. The £183.39m fine against BA amounts to 1.5% of the company’s turnover in 2017. Comparatively, the highest fine issued by the ICO until now was the £500,000 fine against Facebook for the Cambridge Analytica scandal; this was the maximum penalty under the old data protection regime.

Next steps

The ICO announced that BA have been cooperative during the investigation and have taken steps to improve its cybersecurity measures since the data breach. BA now has the opportunity to appeal the ICO’s initial findings within the next 28 days by making representations to the regulator about the findings of the investigation and the amount of the proposed fine. BA has responded to the ICO’s notice stating ‘We have found no evidence of fraud/ fraudulent activity on accounts linked to the theft.’ Notably the share price of the BA holding company IAG dropped 1% in response to the ICO’s announcement.

The ICO has been the lead regulator investigating the breach, predominantly affected UK-based BA customers. However, the ICO will be liaising with other EU data protection regulators where other affected BA customers may reside. Other EU data protection regulators will also have the opportunity, alongside BA, to comment on the ICO’s initial findings and proposed fine.

Key takeaways

Although the ICO did not exercise its power to issue BA with the maximum fine under the GDPR of 4% of its annual turnover, today’s news emphasises the fact that the ICO is willing to enforce significant penalties on companies that do not look after individuals’ personal data. The ICO has made clear that such organisations will “face scrutiny from [the ICO] to check they have taken appropriate steps to protect fundamental privacy rights” (Elizabeth Denham). The ICO’s findings will force companies of all sizes to re-think their internal cybersecurity measures and the way in which they handle and protect individuals’ personal data.  BA has indicated that it will be making any necessary appeals. If the fine is made final by the ICO then BA does have the right in the UK to appeal to the Information Tribunal (a first tier tribunal) which can either quash or reduce the level of the fine.

 

For further information, please contact the Data Protection team

  • Share this blog

  • Twitter
  • Facebook
  • Linkedin

Need to talk about this?

Anita BapatAnita Bapat

Emma WrightEmma Wright

Aneka ChapaneriAneka Chapaneri

Get in touch

Sign up for our newsletters

  • Share this Blog

  • Twitter
  • Facebook
  • Linkedin

Other stuff you might like

  1. How to… lawfully collect customer contact-tracing information | The Caterer
  2. What to do when an audit highlights deficiency
  3. Podcast | DPO Update: DPIAs, Schrems 2, e-privacy, CCPA & CPRA, mobile phone extraction by police, Smart TVs investigated and latest fines
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • EBA outsourcing
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • KLick Trade Mark
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
close
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • EBA outsourcing
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • KLick Trade Mark
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
Kemp Little

Lawyers
and thought leaders who are passionate about technology

Expand footer

Kemp Little

138 Cheapside
City of London
EC2V 6BJ

020 7600 8080

hello@kemplittle.com

Services

  • Commercial technology
  • Consulting
  • Disputes
  • Intellectual property
  • Employment
  • Immigration

 

  • Sourcing
  • Corporate
  • Data protection & privacy
  • Financial regulation
  • Private equity & venture capital
  • Tax

Sitemap

  • Our people
  • Insights
  • Events
  • About us
  • Contact us
  • Cookies
  • Privacy
  • Terms of use
  • Complaints
  • Debt recovery charges

Follow us

  • Twitter
  • LinkedIn
  • FlightDeck
  • Sign up for our newsletters

Kemp Little LLP is a limited liability partnership registered in England and Wales (registered number OC300242) and is authorised and regulated by the Solicitors Regulation Authority. Its registered office is 138 Cheapside, London EC2V 6BJ. The SRA Standards and Regulations can be accessed by clicking here.

  • Cyber Essentials logo
  • LORCA logo
  • ABTA Partner+ logo
  • Make Your Ask logo
  • FT Innovative Lawyers 2019 winners logo
  • Law Society Excellence Awards shortlisted
  • Legal Business Awards = highly commended
  • Home
  • Our people
  • Services
    • Business restructuring and reorganisation
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Digital content & reputation risk
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
    • Travel
  • Resources
  • Insights
  • Covid 19: Your Business Continuity
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn
close
close
close

Send us a message

Fill in your details and we'll be in touch soon

[contact-form-7 id="4941" title="General contact form"]
close

Sign up for our newsletter

I would like to receive updates and related news from Kemp Little *

Please select below any publications that you would like to receive:

Newsletters

close

Register for future event information

[contact-form-7 id="4943" title="Subscribe to future events"]
close
close
Generic filters
Exact matches only

Can't remember their name? View everyone

  • Home
  • Our people
  • Services
    • Business restructuring and reorganisation
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Digital content & reputation risk
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
    • Travel
  • Resources
  • Insights
  • Covid 19: Your Business Continuity
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn