BA For Sale

Why the ICO is wrong to beat up British Airways

By Jon Inns - July 8th, 2019 Posted in Industry News

I should start this article by saying that I have no personal interest in British Airways. I hold no stock, I have no family who work for the company or its parent (that I know of), and I have no commercial relationships either. I rarely even use the airline.

The news today that the ICO intends to fine British Airways an incredible £183,390,000.00 is bothering me, and it’s not bothering me a little bit, it’s bothering me a lot.

Everyone expected that the GDPR would have an impact on organisations when it came to protecting and processing user data – and that’s a good thing. We all want to believe that data processors are going to collect and store our data securely and appropriately, and there is no denying that British Airways suffered a catastrophic breach for which it needs to learn lessons. However, the UK ICO levying a huge nine digit fine on a British company that has apparently fully co-operated with an investigation into the breach feels like it is sending out the wrong message to me and I believe will ultimately drive completely the wrong behaviour.

Lets be realistic for a moment. Most organisations, particularly enterprise ones with complex legacy systems (and even occasionally the ICO’s pwn website) are not going to be impenetrable to a well thought through cyber attack, and this intended fine is going to make many start questioning what the upside of co-operating with the ICO in the event of an incident actually is. Sure, the regulation says that they must, but when the outcome could be an unexpectedly HUGE crippling fine on top of already painful losses of reputation, share value and customers, rightly or wrongly fines like this will make some question what response is really in the best interests of the business and its shareholders – which will continue to remain the priority for the board.

BA StockDownturn of International Consolidated Airlines Group share price since the data breach

The point here is not to let BA off the hook, or feel sorry for them.  They’ve had a security failure and they need to demonstrate that they have learned from it, but isn’t ultimately the entire point of the GDPR to encourage good practice?  We want to encourage organisations to want to protect consumer data and handle it correctly, not to terrify the board into thinking that they need to hide the incident or play it down, and that’s what a fine like this could do.

But that’s not the only thing that’s bothering me.  We live in uncertain times where foreign actors are known to manipulate the rules of the game in order to gain political, military or economic advantage. Excessive penalties such as this signal to these actors that they now have a brand new instrument which they can use to potentially destabilise previously solid national assets.

Knowing that, as a country we will inflict huge financial penalties on our own flag bearing institutions suggests that if an actor was so inclined, with a little mischief and bit of focus, the compromise of the right infrastructure could make a target business cheap to acquire and it could in theory turn into economic self harm.  By attempting to encourage better security through whopping fines we could inadvertently cause the demise, loss or takeover of some of our most important national institutions.

The UK has world leading expertise now at hand with the formation of the NCSC who are available to help deal with the aftermath of a breach, but even with agreed discretion between the NCSC and the ICO, this might make organisations think twice about whether they can consider their own Government a friend and trusted adviser when they really need to.

What’s the alternative?

Well, I don’t write policy for the ICO but it would seem like some kind of escalating fine for post-breach “lack of action” would be a better approach.  Instead of potentially launching crippling fines across the entire FTSE 500 in the next 12 months, it would make sense to me that in the event of a breach that a company should be given a strong incentive to work hard to make things better.  Most companies will do this anyway (and I don’t doubt BA have already spent many millions dealing with their issue), but by putting organisations on something like a suspended sentence the financial pain could then be directed to organisations who show a lack of significant and lasting improvement post breach, which is where it should be.  This would then drive the shareholders to want to spend whatever it takes on the right things as quickly as possible.

To give an example:

  1. You’ve had a breach. You are now at risk of a fine of X if you don’t act now.  Each missed deadline will incur 10% of your fine.
  2. You now have Y duration to identify and prove every entry and exit point of your entire digital estate, and have that independently verified.  Every month you’re late will incur 10% of your fine.
  3. Once 2 is completed you have X months to identify all potential vulnerabilities and define remediation plan – or 10% fine for every period missed
  4. Once 3 is complete you have Z months to fix everything, or 10% for every period missed.
  5. etc…

Now, there’s a lot to be thought about to make something like this work, and it might feel like an excuse to drag feet, but organisations with complex infrastructures cannot simply update technology immediately.  They need time and they need the right motivations.  Nobody Almost nobody deliberately deploys insecure services and if we want the UK to become more secure then we need to carry on the great work of the NCSC and help them do the right things with advice and support and not use commercial aggression as a primary solution, or we risk driving our remaining industrial titans to the brink of extinction.

Are our motivations to make easy cash from data breaches or to stop them happening and make the UK a secure place to do business?  I’m not saying UK organisations should be given special or lenient treatment, but neither should they be used as the gold standard in record breaking penalties.

Threat Status 7,960

Breached Databases Analysed

Threat Status 4,540,717,237

Exposed Records Found