Despite the constant reports of cyber breaches, the risk seems to be generally accepted as part and parcel of using the internet and smart phones; in much the same way that motor accidents are an accepted price for the convenience of road transport. We just hope they don’t happen to us.
But perhaps that may change, particularly for companies and their insurers following the Information Commissioners Office (IFO) announcement that they intend to fine British Airways £184m, the largest fine so far under the new General Data Protection Regulations (GDPR). This follows the much-publicised cyber incident last September when 500,000 customers had their data compromised. The ICO say the breach was due to poor security arrangements, although British Airways have issued a defence saying they faced a sophisticated, malicious criminal attack.
Whatever the outcome, the message from the ICO was clear: “when you are entrusted with personal data you must look after it” and they subsequently announced their intention to also fine Marriott Hotel Group £99m. These draconian fines may just be a warning to large companies, but may be a sign that we are moving to a position of ‘strict liability’ where whatever security you put in place and however sophisticated the attack, if the criminals succeed, you didn’t do enough. You would hope that smaller companies doing their best without large cyber security budgets will be given more leeway, but we will have to wait and see.
However, there are a number of aspects about the British Airways case that are relevant to all businesses, including small firms.
Firstly, GDPR fines are insurable and most cyber insurers cover fines ‘if insurable by law’, which is where it gets a little complicated. Criminal fines are not insurable, but fines from regulators can be covered as they are not criminal fines. However, that is only if they were not for deliberate, dishonest, intentionally illegal or morally reprehensible acts and if anything untoward is suspected the individual circumstances would need to be considered, and possibly tested in court, before an insurer pays a claim.
Secondly, it is not just the fine, the cost of dealing with the breach and compensation can be enormous, particularly if credit card information is compromised. Interesting, if you google British Airways fine, the top line is the advert ‘have you been affected’, so as was predicted before GDPR was introduced, a whole new compensation industry has emerged.
There is also the question of whether a fine and other costs relating to a breach can be recovered from another party, such as an IT security firm, but this may not be straightforward as it would involve proving they were negligent and there may be contractual restrictions limiting their liability.
I often hear that cyber risks are more of a problem for big, rather than small companies, but these fines are scary and if you hold data you would be well advised to consider cyber insurance.
And finally, you may wonder where the fines go. Back to the treasury to be spent wisely of course!