Let's start with GDPR
what is 'The General Data Protection Regulation', or GDPR?
The General Data Protection Regulation (GDPR) came into force last year, and was the biggest shake-up to data privacy in 20 years. The goal It sets out six basic principles organisations must comply with in processing data. These are:
- lawfulness, fairness and transparency;
- purpose limitation;
- data minimisation;
- accuracy;
- storage limitation;
- security and accountability.
Under the GDPR, an organisation that does not comply with the basic prinsicples can be fined up to 4 per cent of annual global revenue.
What happened with British Airways?
British Airways has been fined by the Information Commissioner's Office (ICO) for a data breach which affected more than 400,000 customers. The penalty deals with failures by BA regarding the security and accountability principles, which lead malicios hackers potentially accessed the personal data of approximately 430,000 customers and staff - including names, addresses, payment card numbers and CVV numbers.
The first £20million fine
The penalty imposed on BA is the first one to be made public since those rules were introduced, which make it mandatory to report data security breaches to the information commissioner.
Until the British Airways data breach, the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR.
The ICO had previously said it was considering a fine of £183.39 million, but said it had reduced the amount to limit the focus of its action, took mitigating factors into account and granted a discount that also reflected the economic pressure on the company stemming from the coronavirus crisis. Curiously, the ICO said the original proposed fine of £183million was not used as a benchmark for whether it had actually imposed a fine of £20million, and that it was not taken into account in its decision to award the money. But, so far, no one knows for sure what the actual benchmark for regulatory enforcement would be, or what kind of violation would justify the maximum penalty. Some have pointed out that EU supervisors have imposed much lower penalties for similar infringements, and others have claimed that the actual harm caused by infringements is minimal
The lawsuits are just starting
Let’s not forget: the GDPR fine was for violations of the normative rules, but now, the involved people are just coming into the story. British Airways (BA) faces the largest group claim ever made in U.K. legal history.
"More than 16,000 customers have so far joined a consumer legal action ahead of a March 19 deadline, according to law firm PGMBM, the lead solicitors in the class-action suit. It is the first group lawsuit of its kind to be brought in the United Kingdom under the GDPR and is also the largest “opt-in” claim in relation to a U.K. data breach." - says Neil Hodge in his article on comlianceweek.com
It looks like it will grow into an industry to handle such legal cases: if we search for the term “British Airways data breach,” other law firms will appear with paid advertisements in addition to PGMBM, promising higher and higher compensation.
If we make a simple multiplication, it seems the costs of the lawsuits could be much more than the GDPR fine!
The Takeaways
We should stop here for a minute, and think about it. If a so large company with dedicated cybersecurity group and experts had this kind of data breach, how vulnerable can a small and medium-sized company be? SMEs are in the same dangerous environment: targeted and non-targeted attacks and eavesdropping is about to be a threat to the SME is like to the bigger ones.
Most companies even with good results in the market today have a massive number of cybersecurity vulnerabilities. One of the most common vulnerability are the emloyees themself with using unsecure and unprotected communication 'free' platforms to call and chat with collegues, or worst, they are sending pictures about documents, of even the files itselves.
As the first step, every SMEs should eliminate one of their weakest links: the unprotected communication. Using a secure communication platform increases the level of cybersecurity significantly!
Use NonPry.
What is NonPry Secure Call?
NonPry uses the most advanced encryption and authentication technologies to prevent the interception of your calls. Our communication servers are only used to provide you with the communication channel, the ecosystem does not save your communication or metadata.
Do you want to know the most secure communication technology, which less traceability than Signal? And it costs only two cappuccinos/months?
Learn more about NonPry here!