The UK Information Commissioner's Office (ICO) has announced that it intends to fine British Airways £183.39m for breaching the European Union's General Data Protection Regulation (GDPR).
British Airways' breaches of the GDPR relate to a cyber security incident, which British Airways self-reported to the ICO in September 2018. As part of the incident, users of the British Airways' website were directed to a fraudulent site that then harvested customer data (including payment card details, travel booking details, names and addresses). It is estimated that 500,000 customers' details were compromised.
As part of its review into the incident, the ICO identified that British Airways had poor security arrangements in place to protect customers' data. British Airways will now have an opportunity to make representations to the ICO regarding the findings and proposed sanction (and it is expected that British Airways will appeal the fine).
This is a timely reminder for New Zealand businesses. As we have commented before, the extra-territorial provisions in the GDPR mean that it can apply to those operating from New Zealand. As the ICO's announcement regarding the British Airways' incident demonstrates, the potential consequences of breaching the GDPR can be significant.
In respect of cyber security more generally, the Department of Prime Minister and Cabinet has recently leased a Cyber Security Strategy 2019, which, amongst other matters, identifies the importance of the awareness of cyber security risks and building a strong and capable cyber security workforce.