Airline Faces Max Fine After Self-reporting a Data Breach
Privacy Plus+
Privacy, Technology and Perspective
Airline Faces Max Fine After Self-reporting a Data Breach. This week, the UK’s Information Commissioner’s Office (“ICO”) issued a £500,000 penalty under the Data Protection Act 1998 (“DPA”) against Cathay Pacific Airways for a data breach that was self-reported by the airline in October of 2018. A link to the Monetary Penalty Notice (“Notice”) follows:
https://ico.org.uk/media/action-weve-taken/mpns/2617314/cathay-pacific-mpn-20200210.pdf
We find four things about ICO’s action to be significant:
(1) ICO primarily faulted Cathay Pacific for its security failures, including (but not only) failing to:
· encrypt its database backups;
· address known vulnerabilities;
· appropriately limit access to its administrative console;
· adhere to its own internal policies;
· implement multi-factor authentication;
· maintain up-to-date anti-virus protection;
· maintain up-to-date patch management;
· preserve digital evidence; and
· engage in regular penetration testing.
Here, the takeaway is that basic data security means:
· using a firewall to secure your Internet connection;
· choosing the most secure settings for your devices and software;
· controlling who has access to your data and services;
· protecting yourself from virus and other malware; and
· keeping your devices and software up-to-date.
For more, please refer to the NCSC Cyberessentials, which ICO referenced in its Notice, a link to which follows:
https://www.cyberessentials.ncsc.gov.uk/advice/
(2) ICO found that “there have been no cases of confirmed misuse of the personal data accessed by attackers,” but it still imposed penalties because of Cathay Pacific’s negligence and because the scale of the breach was “likely to cause substantial damage or distress,” considering (a) how many people were affected (9.4 million customers globally — 111,578 of whom were from the UK), (b) how much was compromised (names, nationalities, birth dates, passport numbers, email addresses, postal addresses, phone numbers, frequent flyer membership numbers, customer service remarks and historical travel information); and (c) how long the breach continued (3 years and 7 months).
Here, the takeaway is that even absent a concrete injury from the data breach, causing an increased risk of substantial damage or distress was sufficient for the ICO to impose substantial penalties.
(3) ICO imposed the maximum penalty possible under the DPA. The ICO was acting “just” under the DPA, not the GDPR. We wonder whether Cathay Pacific may soon face more fines from data protection authorities in the European Economic Union (or elsewhere). After all, the GDPR authorizes fines as high as 4% of global annual turnover…
(4) Finally, keep in mind that Cathay Pacific self-reported this situation. Will these sorts of high penalties disincentive self-reporting? Or would the penalties have been even worse if Cathay Pacific had not self-reported and the ICO had found out some other way?
Apropos of self-reporting, a side-note: Just this week, DOJ official Adam Hickey, the Deputy Assistant Attorney General for National Asset Protection, suggested to a Senate panel that Congress should require companies to self-report to law enforcement about data breaches. In doing so, he recognized the current disincentives, stating: "We can't respond to what we can't see, and there are significant disincentives, [in] some cases, to reporting to law enforcement." For more of his testimony, you can follow this link:
https://www.judiciary.senate.gov/meetings/dangerous-partners-big-tech-and-beijing
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.