Locations
The reporting requirements for listed companies may have given a strong hint as to how much the ICO will fine British Airways (BA) for its data breach. Spoiler alert: it's likely to be far less than the £184 million announced a year ago, and could be as little as 10% of that amount.
In July 2019, IAG (parent company of British Airways) announced to the London Stock Exchange that the UK Information Commissioner's Office (ICO) had issued a notice of an intention to fine British Airways £183.39 million for infringements of the GDPR. The intended fine related to a cyber incident on the British Airways website that compromised consumer log in details, payment card information, travel booking details and contact details. The details of the ICO enforcement action and the fine have not been made public, pending representations made by BA and other concerned data protection authorities.
Today IAG issued its Interim Management Report for the six months ended June 30, 2020 that suggests a far lower number for the ICO fine. Page 8 of the report notes that "[a]n exceptional expense of €22 million has been recorded in respect of a provision in relation to the theft of customer data at British Airways in 2018." Yes, €22 million. At today's exchange rate that is about £19.78 million, barely more than 10% of the original indicated fine.
Does this mean that the ultimate fine will be under £20 million? Possibly. The mention of a particular amount in this report is not mere coincidence. Interim Management Reports are subject to an array of accounting rules and the rules of the particular exchange (for IAG, the London Stock Exchange). Under applicable accounting rules, classifying this as a "provision" means that the amount or timing of the payment is unclear. But the amount is probable enough to require disclosure in this particular report on the six months to June 30, 2020. Previous IAG filings (notably its Annual Report for 2019, issued in March 2020) made mention of delay in the ICO proceedings with no provision announced. In other words, something has happened in the first six months of 2020 to enable IAG to quantify the €22 million figure.
This figure is not coming out of thin air, but could it relate to some other expense surrounding the data theft? Possibly, but not likely. Ongoing expenses such as attorneys' fees and IT remediation are easy to quantify and would not be accounted for as a one-time provision (much less one appearing for the first time in this particular filing). The provision could (theoretically) relate to a proposed settlement of the compensation claims. Any compensation settlement, however, would be notified to the claimants and the deadline for claims has not yet passed (making it nigh on impossible to agree a compensation pot). The remaining conclusion is that this number must be based on the negotiations with the ICO. The final amount of the fine is still a question mark. But this is a strong indication that it will be far less than the £183.39 million suggested barely more than a year.
This is not the first time that listed company reporting requirements have allowed a peek behind the curtain of GDPR fines. Also in July 2019, Marriott International notified the US Securities and Exchange Commission (SEC) of the ICO's intention to fine £99 million for a cyber breach. That announcement, like the BA one, was driven by Marriott's disclosure requirements, albeit under SEC regulation and US accounting rules. Marriott similarly reported the delay in the ICO fine in its SEC filings earlier this year. And Marriott, like British Airways, has felt significant effects of COVID-19. Eagle-eyed GDPR fans will, no doubt, be scouring the forthcoming Marriot quarterly filing with the SEC for similar clues as to the Marriott fine.
Opinions will vary as to whether a greatly reduced British Airways fine would be a good thing (i.e. GDPR fines will not bankrupt a company undergoing severe and unprecedented financial difficulties) or a bad thing (i.e. GDPR fines need to be significant to have a deterrent effect). The UK authorities certainly have taken a pragmatic view in other circumstances. When Rolls-Royce agreed to pay £652 million for bribery offences, it requested and the UK Serious Fraud Office accepted payment over a three year time frame to accommodate the financial impact on Rolls-Royce. Whether the ICO will adopt a similar "pay over time" approach (particularly if the ICO does not offer its early payment discount) remains to be seen. It is certainly one way to balance the required deterrent effect of the GDPR with the impact on shareholders and the business.
In any event, the ICO is clearly moving closer to a final amount for the BA data breach fine. So watch this space.