British Airways £183m data breach fine – should schools be worried?

In a word (or three) no, not really. Before we get overexcited about BA’s hefty fine, let’s put it in perspective and remember that for the moment it is the Information Commissioner’s Office intention to levy this fine – BA will now make representations about it.

Under the old rules the ICO could fine organisations up to £500k. You may remember that Facebook and Equifax got stung with £500k fines in late 2018 for breaches under the old rules and earlier that year Carphone Warehouse paid out £400k and Uber stumped up £385k.

Those fines don’t really make a dent to large organisations and that’s why the rules now allow for a fine of up to €20m or 4% of worldwide turnover. The details of the breach that led to the fine are not hugely relevant; the key point is that it was a cyber breach that led to the personal data or around 500,000 people being compromised, which included payment card details and log in information. So, the data stolen was significant in terms of volume and content.

Does this mean schools will be hit with similar fines? Personally, I don’t think so. We do need to take it seriously, not because of the big chunk of cash BA will be handing over, but because of what Elizabeth Denham said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Ask yourself this: if you had a data breach and faced the scrutiny of the ICO, how would you fare?

Here are my top tip tops to help you fare pretty well:

1. Appoint and train your DPO and keep that training updated;
2. Train staff and be able to evidence outcomes of that training;
3. Carry out basic audits (and be able to evidence them) and then take steps to remedy any weaknesses;
4. If you have a reportable breach, report quickly and fully;
5. The fines can be hefty, so getting legal advice when managing a breach is worthwhile.