Canadian entities preparing for mandatory security breach reporting and notification, which will soon come into force, can learn from British Airways’ (BA’s) recent experience with a security breach.
As of November 1, 2018, under the Personal Information Protection and Electronic Documents Act (PIPEDA), if a security breach creates a real risk of significant harm, organizations must report the breach to the Office of the Privacy Commissioner of Canada (OPC) and notify the affected individuals. If the organization notifies the affected individuals it must also notify government institutions or other organizations in certain circumstances.
The European Union’s (EU’s) General Data Protection Regulation (GDPR) has similar provisions. Under the GDPR, organizations must report security breaches which are likely to result in risks to the rights and freedoms of a natural person, without undue delay and where feasible within 72 hours of being aware of the breach. Organizations must also notify victims of the breach without undue delay if the breach is likely to result in a high risk to the rights and freedoms of the persons so they can take the necessary precautions.
The overarching takeaway for organizations is that a security breach response is multi-faceted; organizations must identify and remedy the root cause of the breach; manage regulatory obligations to avoid fines and other sanctions; and manage public relations to minimize ongoing impact on organizational revenues and reputations.
The September 8-9, 2018 edition of the Financial Times Weekend (FT), reported that BA’s breach was the first to hit a major corporation since the GDPR came into effect on May 25, 2018. In BA’s case, any fine under the GDPR could approximate to £500m. Penalties for non-compliance with the GDPR can be as much as €20M, or 4% of worldwide annual turnover in the preceding fiscal year, whichever is higher.
A hacker gained access to BA’s website and mobile app, through a suspected vulnerability in the airline’s web server and accessed or intercepted customer data including names, email addresses, and credit card information including credit card numbers, expiration dates, and the 3-digit Card Verification Value (CVV) codes on the backs of credit cards. BA says the hack occurred between August 21, 2018, and Wednesday, September 5, 2018, and affected approximately 380,000 BA customers.
- Act quickly to stop the breach and prevent a recurrence: Upon discovering that something was wrong on Wednesday September 5, 2018, BA says it immediately began working to identify the extent of the breach.
- Report quickly and on time: Reportedly, by Thursday September 6, 2018, BA had notified the United Kingdom’s privacy regulator, the Information Commissioner’s Office (ICO), within the 72-hour reporting deadline under the GDPR. In Canada, organizations would report to the OPC “as soon as feasible after the organization determines that the breach has occurred”. BA also notified its stock market regulator, which in Canada, are provincial bodies like the Ontario Securities Commission (OSC).
- Notify affected persons without delay: Reportedly, by Thursday, September 6, 2018, after notifying regulators, BA began notifying affected customers by email. Under PIPEDA, organizations must notify individuals, ideally directly (for example by email), as soon as feasible after discovering the breach.
- Focus on public relations too: In addition to legal requirements like mandatory reporting and notification, organizations must remember the human element. By Friday, September 7, 2018, BA had issued newspaper ads apologizing for the breach, and BA’s Chairman and CEO appeared on BBC Radio 4’s Today, to apologize and promise financial compensation to anyone who lost money because their credit card information is misused.
- Despite best efforts, there will still be fallouts: Although BA acted quickly, perhaps as quickly as it felt it could have, some customer relationships may have suffered damage and BA must try to repair them. According to the FT, because of the time lag after notifying regulators and some of its customers, other customers learnt about the breach through Twitter and other online sources, and they were not pleased. Additionally, one customer expressed annoyance that BA had put the onus on him and other customers to contact their banks to prevent fraud. Under PIPEDA, an organization which suffers a breach could disclose information to third parties, like banks, even without individuals’ knowledge or consent, if required—for instance, if any factor prescribed by law exists, or, if it believes that these third parties can mitigate the harm or reduce the risk of harm resulting from the breach.
- It may be your problem, even if your organization was not breached: The BA breach had a ripple effect on other organizations, for example banks, because it is prudent for any organization to respond to any security breach which may affect it. Within hours of learning about the BA breach, Monzo’s CEO tweeted that the bank had proactively contacted over 1,300 of its customers which the breach affected, to offer them replacement bank cards.
BA’s experience underscores that cybersecurity is important. In addition to this security breach, BA has had a series of IT-related issues which some have blamed on weak IT infrastructure and austerity measures at the airline.