BA: a £1 billion wake-up call

There are now two law firms putting together class action lawsuits against BA under the provisions of Article 82 of the GDPR (General Data Protection Regulation), which entitles data subjects to financial compensation for non-financial damages.

If the 380,000 customers affected by the recent incident get, say, just £2,000 each for their distress and possible identity theft, this would easily amount to £750m. It could be more. Of course, neither action might get off the ground, but who would want to be in the position of hoping for an action to go away?

Integrity and confidentiality

BA turned over £12.2 billion last year and, given that this is a breach of the GDPR’s integrity and confidentiality principle, which requires that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”, the higher tariff of fines (up to 4% of worldwide annual turnover) would be applicable – and that means the potential fine could be nearly £500m.

The ICO has previously suggested that it is unlikely to levy the maximum fine for a first offence, because that leaves nothing more serious for a second offence – so one could assume that the fine in this instance might only be, say, £250 million. Personally, I think the ICO needs to be much more dramatic with the initial fines it imposes – the GDPR does, after all, call for fines to be ‘dissuasive’ as well as proportionate and there are an awful lot of UK organisations that should be, but are not, either PCI or GDPR compliant – and they almost certainly need to see significant fines being imposed to jerk them out of their complacency.

It’s not all about fines

Those two elements easily add up to £1 billion. BA’s lawyers will be working as hard as they can to reduce these amounts as much as possible and the final sum may well be less than £1 billion – but there will still be lawyers’ fees, forensic investigation fees, PCI SSC fines, and other professional advisory fees to pay. On top of that, BA has so far promised to provide all those affected with some form of credit file monitoring service (and that’s a few million more pounds out the door).

Then there is reputational damage and loss of customers to consider. IAG’s share price is down from 712.60 on Wednesday 5 September to 663.00 today – a drop of around 7% – and it looks as though this was triggered by news of the data breach. So, what’s the possibility of a shareholder action being brought against BA and its management for failing to properly secure the company and thereby causing shareholders to lose money?

The financial costs of not being data breach ready are not worth contemplating – because, of course, BA is still going to have to spend what it should have spent to secure its transactions anyway – and, given that it won’t want ever to return to the ICO, it will likely go overboard in terms of securing itself.

So much less expensive, so much more convenient, just to have got breach ready in the first place!