The reporting requirements for listed companies may have given a strong hint as to how much the ICO will fine British Airways (BA) for its data breach. Spoiler alert: it’s likely to be far less than the £184 million announced a year ago, and could be as little as 10% of that amount.
In July 2019, IAG (parent company of British Airways) announced to the London Stock Exchange that the UK Information Commissioner’s Office (ICO) had issued a notice of an intention to fine British Airways £183.39 million for infringements of the GDPR. The intended fine related to a cyber incident on the British Airways website that compromised consumer log in details, payment card information, travel booking details and contact details. The details of the ICO enforcement action and the fine have not been made public, pending representations made by BA and other concerned data protection authorities.
Today IAG issued its Interim Management Report for the six months ended June 30, 2020 that suggests a far lower number for the ICO fine. Page 8 of the report notes that “[a]n exceptional expense of €22 million has been recorded in respect of a provision in relation to the theft of customer data at British Airways in 2018.” Yes, €22 million. At today’s exchange rate that is about £19.78 million, barely more than 10% of the original indicated fine.
Does this mean that the ultimate fine will be under £20 million? Possibly. The mention of a particular amount in this report is not mere coincidence. Interim Management Reports are subject to an array of accounting rules and the rules of the particular exchange (for IAG, the London Stock Exchange). Under applicable accounting rules, classifying this as a “provision” means that the amount or timing of the payment is unclear. But the amount is probable enough to require disclosure in this particular report on the six months to June 30, 2020. Previous IAG filings (notably its Annual Report for 2019, issued in March 2020) made mention of delay in the ICO proceedings with no provision announced. In other words, something has happened in the first six months of 2020 to enable IAG to quantify the €22 million figure.
This figure is not coming out of thin air, but could it relate to some other expense surrounding the data theft? Possibly, but not likely. Ongoing expenses such as attorneys’ fees and IT remediation are easy to quantify and would not be accounted for as a one-time provision (much less one appearing for the first time in this particular filing). The provision could (theoretically) relate to a proposed settlement of the compensation claims. Any compensation settlement, however, would be notified to the claimants and the deadline for claims has not yet passed (making it nigh on impossible to agree a compensation pot). The remaining conclusion is that this number must be based on the negotiations with the ICO. The final amount of the fine is still a question mark. But this is a strong indication that it will be far less than the £183.39 million suggested barely more than a year.
This is not the first time…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
