- The fines under GDPR for a data breach are 2%, not 4% so off the bat the headline should be “BA faces record £250M fine for data breach!” – this one shows either ignorance of the regulation, a deliberate attempt to dramatise the headline, or plagiarism;
- The maximum fines under GDPR are reserved for the most egregious offences, not any offence, and must at all times be “effective, proportionate and dissuasive” (Art. 83(1)) – explain to me how a half-BILLION pound fine for the loss of 380K payment cards is in any way ‘proportionate’ given the apparent sophistication of the attack;
- Loss of payment card details is already covered under the Payment Card Industry Data Security Standard (PCI DSS), as are appropriate fining / recompense structures – so why would the ICO jump in and investigate when there is a program in place already, and has been for over a decade? For what it’s worth, the fine for the loss of 380K payment cards under PCI would be in the order of £2.5M, if one is given at all;
- According to Art. 34(1), you may assume BA had no choice but to notify the data subjects of the breach; “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”, but seeing as all fraud losses related to breached payment cards is actually covered by the card issuers, can this really be called ‘high risk’? BA did it anyway;
- There is no such thing as 100% security – if someone with the right skill-set and patience wants in, they’re getting in, and there’s nothing you can do to stop it. You protect data to a level appropriate to its value, and no matter what business you’re in, there will always be gaps. Always.
- I have worked with the BA security team in a previous life, and I VERY much doubt this breach was either negligence or incompetence, they take security very seriously. This by itself would negate a huge chunk of the GDPR fine, and their obvious pro-activity related to every other factor in Art. 83(2) should negate the vast majority of the rest.
[If you liked this article, please share! Want more like it, subscribe!]