ICO: once shy, bites twice

15th July 2019

Massive fines for GDPR breaches should lead to a rethink on corporate attitudes towards cyber security and its communication

The £183m fine issued on the 8th of July to BA by the ICO (the UK regulator for data and privacy law) was a wake-up call for the boardrooms of any UK companies which were unsure about the stakes at play in cyber security. It was closely followed by a £99m fine for Marriott International which surely puts to bed any questions about whether the regulator would be more bark than bite when it comes to enforcing the new GDPR regime which came into force across the EU in May 2018.

The ‘Big Tech’ backlash is a dominant theme in Brussels and Washington, as global trade tensions continue. But with the ICO’s move against BA and Marriott International it is now clear that the UK regulator has wider targets in its sights. Parallel developments in the legal realm are pushing cyber security and data privacy issues further up the corporate risk list.

Morrisons, the UK supermarket chain, is currently appealing a High Court ruling from 2017, which held it ‘vicariously liable’ for the actions of a rogue employee (since jailed for 8 years ) who leaked sensitive information including salaries and NI numbers of 100,000 staff members. This ruling, already upheld in the Court of Appeal in October 2018 and now due to go to the Supreme Court, has opened the way for a class action allowing affected people to claim compensation for upset and distress.

Ominously for BA, adverts are now appearing on Google from SPG Law which is seeking to launch a similar class action against BA, which could be worth more than £500m if they are successful in seeking up to £1,250 in compensation per person for the “inconvenience, distress and annoyance” caused by BA’s data breach. It should be noted that both decisions are subject to appeal, but there is no question that the stakes have been raised considerably for companies when thinking about cyber security issues.

The scale of the proposed fines reinforces the obvious point that prevention is better than cure. However, most cyber security experts agree that it is a matter of ‘when’ not ‘if’ a company experiences a data breach and it is equally important to focus on the response in preparing for a breach. According to research by Oxford Metrica/AON, a company’s response to a crisis has a direct impact on share price performance. Studying 15 high profile crises they found that the share price of effective responders was a third higher a year after the breach than that of ineffective responders when adjusting for other factors.

In many regards what constitutes an effective response in the immediate aftermath of a crisis is a judgement call on your communications, not your actions. Speed, clarity, consistency, empathy, leadership and actionable detail; the extent to which your communications convey these will set the tone amongst key audiences and can make a huge difference in recovering lost reputation.

These are clearly very difficult circumstances in which to communicate and while there was a good deal of social media discontent about how BA managed the immediate aftermath of its disclosure, it drew praise for its efforts to apologize to customers, which included prominent adverts in national newspapers. Less impressive was the near three month gap between Marriott discovering its breach and its first public admission that so much information had been exposed for so long.

And what are we to take from the initial statements from the ICO and the companies in the wake of the fine announcements?

Both BA and Marriott responded with remarkably look-alike statements claiming they were victims of criminal attacks and that they would contest the fines and defend their positions vigorously having cooperated fully with the inquiries. The companies now have the chance to make representations before the amount of the fines are confirmed, but it’s hard to imagine the ICO softening its position materially in what has been a clear attempt to flex muscle “pour encourager les autres”.

There are three other points of note. Firstly, and most importantly from a communications perspective, the ICO fines and the Morrisons ruling make clear that the ‘victims of crime’ defence doesn’t cut it with regulators and lawmakers any more than it does with the actual victims whose personal data have been stolen. This positioning, often encouraged by lawyers, should be used with care.

Secondly, saying in mitigation that no fraudulent activity has taken place rather misses the point. BA included this in their statement, while the Marriott CEO stated this in a US Senate hearing earlier this year. The scale of both fines has plenty of room for upward movement had there been financial losses. Referring to the absence of subsequent fraud serves to belittle the incidents and shirk responsibility for allowing the data to be stolen in the first place – not a good look in the eyes of your customers.

Thirdly, caveat emptor. Commenting on the Marriott fine, Elizabeth Denham, the ICO commissioner, said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition.” Blaming previous owners is no defence.

So the message is clear. Companies are responsible for the data they hold; how they use it and how they protect it. Period. The tone with which they communicate any data breach incidents needs to reflect that, or risk adding further reputational damage to the cost and time of reparations.