Clifford Chance

On 4 March 2020, the UK Information Commissioner's Office (ICO) revealed that it had handed Cathay Pacific Airways Limited the maximum possible pre-GDPR fine of £500,000 for a series of severe data protection violations.

The ICO found that Cathay Pacific's computer systems exposed the personal information of up to 9.4 million data subjects, including their names, nationalities, dates of birth, phone numbers, email / postal addresses and passport numbers.  The ICO pointed to a number of failings, including a failure to encrypt back-up databases and inadequate anti-virus protection. The ICO's Director of Investigations noted that "at its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance".

Whilst the timing of the breaches meant that Cathay Pacific (unlike British Airways and Marriot) narrowly escaped a much larger GDPR fine, there is plenty of note in the ICO's decision:

This is not the first time the ICO has issued a maximum fine under the pre-GDPR legislation – Facebook previously received the £500,000 penalty in relation to the Cambridge Analytica incident, and credit reference agency Equifax was issued with the maximum fine for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017. However, in the pre-GDPR era, instances of maximum fines under the 1998 Act have been relatively scarce, demonstrating an unwillingness by the ICO to identify particular data breaches as constituting the worst kind of breach possible under the legislation.  Increasingly, however, we are seeing the ICO view breaches falling into the pre-GDPR era through a post-GDPR lens, and considering the standards of the more onerous regime when making its decisions.

This is all the more evident given the importance placed by the ICO on Cathay Pacific's lack of prompt disclosure.  The ICO was informed of the breach in October 2018, but found that the earliest date of unauthorised access to Cathay Pacific's systems was 14 October 2014, with the earliest known date of unauthorised access to personal data being February 2015.  This was considered a clear contravention of the 72-hour deadline for notification under the GDPR.  Clearly, it is crucial that businesses consider the importance of taking early legal advice on their notification obligations, as well as involving security experts when breaches occur.

The decision concludes that "Cathay Pacific did have in place a wide array of proactive security measures and policies at the time of the attack.  However, it failed to effectively manage those solutions, or to adhere to its own policies".  It refers to failures by Cathay Pacific to abide by a range of internal IT and related crisis management policies, and reminds us that adequate policies alone are not sufficient – businesses have to test and implement policies in response to a breach.

The ICO was clear on the practical implications of failing to meet document retention requirements – here, such requirements plainly influenced the quantum of the fine imposed.  The ICO noted that Cathay Pacific had fallen foul of the fifth data protection principle by maintaining overly long retention periods, and that, had shorter retention periods applied, less data would have been compromised.

There is much to consider in the ICO's decision.  We understand that an appeal is not currently intended.  This is perhaps unsurprising – a £500,000 fine (£400,000 if paid early) is a drop in the ocean by comparison to a fine of 4% of global turnover, which is what businesses may face if they ignore the lessons from cases such as Cathay Pacific.