On 08/21/18 British Airways (BA) suffered the start of a data breach which ended on or about 09/05/18. A UPS (uninterruptible power supply) failure and subsequent power surge was partly how the breach was exacerbated. It was also indicated that a third party (vendor) was involved in some way which complicates liability and brings supply chain security more into scope.
The breach allowed cyber criminals to steal personal and financial information from about 380,000 customers who booked directly with the airline in the preceding two weeks (Ivana Kottasová, CNN, 09/07/18). When a passenger makes a booking through the BA website, they must submit their name, e-mail address, address, and credit or debit card details including: the number, expiration date, date, and the security code or “Card Verification Value” (CVV) — all of this was compromised.
Yet most interestingly, this is one of the first major data breaches since GDPR came into effect in May this year, Walters said (Samuel Gibbs, the Guardian, 09/07/18). “It appears that the company notified the Information Commissioner’s Office and customers within the GDPR’s mandatory 72 hours but the breach will now be investigated and the company could be penalized if it did not take all the necessary measures to protect customer data” (Samuel Gibbs, the Guardian, 09/07/18).
The GDPR rules now in force could see a great increase in the penalties slapped on firms for past data breaches, with fines levied at a maximum of 4% of global revenues. For British Airways’ this amounts to about $630 million dollars based on last years revenue (Gwyn Topham, the Guardian, 09/06/18).
Yet many observers see fines this hefty as counterproductive and the catalyst to push business outside of the EU. Moreover, many international law firms and economists have doubts about the applicability of the GDRP outside of the EU, citing state sovereignty, and free enterprise protection in the United States, etc. The courts will likely further define the context of GRPRs applicability and may roll its reach back some. It is way to early to know what GDPR means in practicality but pushback is coming from well funded, well organized, well researched powerful law and business interest groups. GDPR is dangerously overbroad and ambiguous as echoed in this law firm newsletter (Wendy Butler Curtis and Jeffrey McKenn, Orrick, Herrington & Sutcliffe LLP, 09/09/18). We welcome the debate for a better more modern GDPR.