British Airways 拢183m data breach fine 鈥 should schools be worried?
In a word (or three) no, not really. Before we get overexcited about BA鈥檚 hefty fine, let鈥檚 put it in perspective and remember that for the moment it is the Information Commissioner鈥檚 Office intention to levy this fine 鈥 BA will now make representations about it.
In a word (or three) no, not really. Before we get overexcited about BA鈥檚 hefty fine, let鈥檚 put it in perspective and remember that for the moment it is the Information Commissioner鈥檚 Office intention to levy this fine 鈥 BA will now make representations about it.
Under the old rules the ICO could fine organisations up to 拢500k. You may remember that Facebook and Equifax got stung with 拢500k fines in late 2018 for breaches under the old rules and earlier that year Carphone Warehouse paid out 拢400k and Uber stumped up 拢385k.
Those fines don鈥檛 really make a dent to large organisations and that鈥檚 why the rules now allow for a fine of up to 鈧20m or 4% of worldwide turnover. The details of the breach that led to the fine are not hugely relevant; the key point is that it was a cyber breach that led to the personal data or around 500,000 people being compromised, which included payment card details and log in information. So, the data stolen was significant in terms of volume and content.
Does this mean schools will be hit with similar fines? Personally, I don鈥檛 think so. We do need to take it seriously, not because of the big chunk of cash BA will be handing over, but because of what Elizabeth Denham said:
鈥淧eople鈥檚 personal data is just that 鈥 personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That鈥檚 why the law is clear 鈥 when you are entrusted with personal data you must look after it. Those that don鈥檛 will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.鈥
Ask yourself this: if you had a data breach and faced the scrutiny of the ICO, how would you fare?
Here are my top tip tops to help you fare pretty well:
- Appoint and train your DPO and keep that training updated;
- Train staff and be able to evidence outcomes of that training;
- Carry out basic audits (and be able to evidence them) and then take steps to remedy any weaknesses;
- If you have a reportable breach, report quickly and fully;
- The fines can be hefty, so getting legal advice when managing a breach is worthwhile.