This morning British Airways received a provisional fine of £183m from the Information Commissioners Office (ICO) for data breaches which happened in June 2018. This is significant for many reasons.
It is the first major public fine under the GDPR regime and the quantum involved is remarkable – equivalent to 1.5% of the company’s worldwide turnover in 2017. The previous largest fine of £500,000 – for Facebook for its role in the Cambridge Analytica scandal, happened under the previous regulatory regime. It is worth bearing in mind that GDPR would have allowed the ICO to fine the company up to 4% of worldwide turnover – or nearly £500m.
In addition, British Airways was the victim of a malicious hack in this case. Even though it was the attacked party, it was held culpable for failing to protect customers data.
Finally, the ICO went public about the fine – deliberately drawing attention to the issue, highlighting the potential consequences of data breaches and pointedly demonstrating the powers at its disposal.
Technology is creating new reputational risks
The issue highlights the fast-evolving nature of reputational (and operational) threats. New technology, and the data associated with it, produces several potential risks for companies.
‘Denial of service’ attacks, hacks, ransomware, data breaches, exceeding data authority, system outages now commonly feature on company’s risk registers.
Data hacks/ breaches tend to have quite specific characteristics. Unlike denial of service attacks of system outages, it may not immediately be apparent that a leak has occurred. It may take many months or years until a breach/ hack is identified. It may be even longer before the issue becomes public (in the case of British Airways, the issue became public in September 2018, three months after the initial incident).
Because of this the impact and extent of them can be difficult to assess; in turn this makes it challenging to gauge how to respond.
In addition, the management of data breaches/ hacks may involve multiple stakeholders, including data and conduct regulators, IT specialists, crime authorities and fraud associations.
Managing the reputational impacts of data breaches
The key to successful reputational risk management is preparation and mitigation. By putting in place robust reputation monitoring, process, response, governance and protocols, companies can be better prepared to manage potential reputational risks around data leaks.
As part of this, it is critical to map the various stakeholders involved in managing any reputational response. In the case of data breaches/ hacks, there are various stakeholders that must be informed to strict, sometimes statutory, timelines. This can include regulators but also other parties such as insurers, who may levy obligations to inform them of any potential claim immediately.
It is also clear from this case that regulators will seek to put the onus on companies to protect personal data. However, the long gestation period of data breach/ hack issues also provides an opportunity for companies to take control of the narrative; indeed, with potentially significant time before issues become public, companies can explain what has happened, why it has happened and the steps they have taken to ensure that it won’t happen again.
Demonstrating leadership in challenging situations
Advances in technology may throw up new challenges for companies, but the principles of effective issues management remain the same.
Successfully managing a company through an issue is a matter of leadership. In an increasingly complex and evolving world, issues will happen for time to time. However, the public expect companies to take leadership when issues occur – to own them, solve them and ultimately learn from them.
Charles Ansdell is managing partner at Newgate Communications and specialises in issues and reputation management.