British Airways Faces $230 Million Fine Over Data Breach -- 2nd Update
July 08 2019 - 8:32AM
Dow Jones News
By Robert Wall and Parmy Olson
A U.K. privacy watchdog has proposed a $230 million fine for the
owner of British Airways -- a potentially record, privacy-related
penalty in Europe -- alleging it failed to protect passenger data
after a hack last year.
The move, which British Airways owner International Consolidated
Airlines Group SA said it would fight, represents the latest, and
by far biggest, proposed penalty issued by national-privacy
regulators across the European Union. The fines follow the EU's
enactment last year of sweeping new privacy rules across the bloc
aimed at holding companies accountable for protecting the personal
data increasingly swept up in today's digital world.
It falls to national regulators to enforce the rules with
companies over which they have jurisdiction. The proposed fine in
Britain overshadows the next largest: France, in January, imposed a
EUR50 million ($56 million) fine against Alphabet Inc.'s Google. In
that case, France said Google didn't go far enough in getting valid
consent to gather data for targeted advertising. Google said it
planned to appeal the decision in the coming weeks.
The proposed fine against British Airways -- accounting for
about 1.5% of IAG's 2017 revenue and more than 6% of its forecast
2019 operating profit -- threatens to become a shot across the bow
of Europe Inc., as well as a warning to foreign firms that do
business here. While many international businesses have been
gearing up for General Data Protection Regulation, or GDPR,
compliance for years, Britain's proposed fine makes clear the large
financial stakes of falling short.
The ICO's proposed fine is the "tip of the iceberg," said Tony
Pepper, chief executive of email-encryption service Egress Software
Technologies Ltd. He believes the British regulator has health care
businesses, government agencies and financial services in its
crosshairs and will issue more big fines over the next six-to-12
months. The ICO doesn't oversee the privacy practices of the big
U.S. tech giants that have chosen Ireland as their European
base.
The proposed fine stems from an increasingly common corporate
hazard -- a breach of customer data. Airlines, in particular, have
faced frequent attempts to penetrate their customer records. Last
year, Cathay Pacific Airways Ltd., one of Asia's largest long-haul
carriers, and Air Canada both reported their own instances of
unauthorized access to some customer information.
In the U.S., there is no central authority tasked with probing
and punishing instances where data protection measures fall short.
In many cases, companies that fall victim to such hacks can be
liable for customers' financial losses stemming from the
unauthorized breach of their data. But they generally aren't held
accountable for failing to prevent the hack in the first place.
Companies have been held to account over failing to disclose
such hacks, and other, broader privacy issues. Uber Technologies
Inc. last year reached a $148 million nationwide settlement with
U.S. states over allegations it concealed a 2016 data breach.
Facebook in April set aside $3 billion for an expected fine from
the Federal Trade Commission over alleged privacy violations.
Regulators in Europe have gained increasing authority to fine
companies for failing to specifically safeguard customer
information or privacy. Ireland has more than 50 privacy
investigations under way, including against tech companies such as
Facebook and Apple Inc. A spokeswoman for Britain's ICO said it had
several more investigations under way, as well.
The proposed fine is the first for Britain's ICO. Under GDPR,
regulators, in extreme cases, can fine a company as much as 4% of
annual sales. Most fines so far have been far smaller, typically
less than $1 million. Shares in IAG opened 1.5% lower in
London.
British Airways last year said about half a million passenger
records were accessed in a cyberattack that took place between
August 21 and Sept. 5. The airline carried more than 45 million
passengers in 2018. The airline group said Sept. 6 it had
discovered and resolved the breach of its website and app and that
police were notified.
The British regulator, in a statement, said "a variety of
information was compromised by poor security arrangements at the
company, including log in, payment card, and travel booking details
as well as name and address information."
IAG Chief Executive Willie Walsh said that "we intend to take
all appropriate steps to defend the airline's position vigorously,
including making any necessary appeals." The airline has cooperated
with the investigation, the regulator said, and made improvements
to its security.
The ICO said it would take into account feedback from British
Airways and other data protection authorities as it makes a final
determination on the fine. The airline has 28 days to make its
case. The regulator said the company can appeal against any final
determination.
Write to Robert Wall at robert.wall@wsj.com
(END) Dow Jones Newswires
July 08, 2019 08:17 ET (12:17 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Alphabet (NASDAQ:GOOG)
Historical Stock Chart
From Mar 2024 to Apr 2024
Alphabet (NASDAQ:GOOG)
Historical Stock Chart
From Apr 2023 to Apr 2024