Mactavish warns ‘GDPR fines unlikely to be insurable’ as British Airways faces £183.39m penalty for data breach
Cyber security hit the headlines again this week as a UK watchdog said it intends to fine British Airways (BA) £183.39m for breaches of data protection law.
In a statement to the London Stock Exchange, the Information Commission Office (ICO) said it plans to fine the national air carrier for infringing the General Data Protection Regulation (GDPR) in September 2018.
The ICO investigation found that customer details were stolen after people visiting the BA website were diverted to a fraudulent site. The attack is believed to have started in June 2018 and the personal data of approximately 500,000 customers was compromised.
BA’s “poor security arrangements” were criticised by the ICO after the investigation revealed that hackers accessed log in, payment card, and travel booking details as well as names and addresses.
However, business leaders were also warned that they may not be able to take out insurance to cover against the risk of such huge fines.
“Although many policyholders may not be aware of the detail, all GDPR fines are currently unlikely to be insurable in the UK for reasons of public policy, but the position is still not fully clear,” warned Bruce Hepburn, chief executive at insurance governance firm Mactavish.
“In addition, very large fines of this level or more would also exceed the maximum amount of insurance most companies could buy in the cyber insurance market under a standard policy structure.”
Hepburn said that cyber insurance was “still valuable if purchased carefully”.
“Well-designed cyber insurance can cover any fines which are deemed to be insurable by law, defence costs (which could be significant), compensation due to affected individuals, as well as crisis management and customer support costs that an affected company will incur beyond the fine itself.
“But the devil is in the detail for cyber-insurance and companies need to understand what they are buying and the limits to what their insurance will in fact cover. As just one example, cyber insurance might provide broad cover to voluntarily notify individuals affected by a data breach, or much narrower cover to notify individuals only where there is a strict legal requirement to do so.
“Such differences can be critical but are often buried in the detail of the insurance policy. So companies need to invest the time in understanding their needs and ensuring they buy the right insurance to avoid surprises if affected by a claim.”
Another commentator said the size of BA’s fine “must serve as a wake-up call” for other companies, many of whom are still highly vulnerable to cyberattacks themselves.
“These companies need to act now and ensure that they are harnessing the latest technologies to protect their customers’ personal data,” said Nick Wyatt, head of research and analysis, travel and tourism at data company GlobalData.
“£183 million is a record fine and represents 1.5 percent of the company’s annual turnover. However, new GDPR laws permit fines of up to 4 percent, so it could have been worse, especially when you consider that the details of about 500,000 customers were harvested in the attack.”
