Too much regulation is about enforcing fines and threatening action, without any actual effort to ensure there is a benefit to the enforcement. What do I mean by this? I say that regulation without a prescriptive solution and guidelines is useless, as too often we see regulations, but enforcement is chronically unfunded or not supported. Nothing illustrates this more when the ICO declined to investigate the EasyJet data breach citing “a lack of resource.” as the reason.

A great example of new regulation is the Telecom Security Act that describes what the requirements are for being a telecom services provider, but what they've attached to that is a bunch of requirements, business practices and best practices in terms of cybersecurity. This is solid and the right way to deliver regulation!

They have basically put a line in the sand and said, “if you don't do these things and we have to investigate you because you have had a data breach, we are going to crush you because you’re non-compliant.” This forces organizations under different regulations to play a game of “you are breaking the rules” but we are “not going to tell you how to not break the rules.”

Is not a good way to go about enforcement. It’s like giving you a ticket for speeding without the speed limit posted.

The BA Case

Another example. The case of the BA data breach. During and before the pandemic, BA was threatened with a £183 million fine because of the credit card breach that they suffered. It should be noted that BA received £2 billion in a state backed loan, guaranteed in-part by the UK’s credit agency UK Export Finance (UKEF). Subsequently, this “large” fine was very surprising.

The Information Commissioner had originally served a Notice of Intent to fine BA £183.39 million. The final fine would have been £30 million, but was reduced by 20% to £24 million to take account of mitigating factors, including later improvements to security and BA’s offer to reimburse any losses suffered by customers.

The fine was then reduced to £20 million considering the Commissioner’s Covid-19 related regulatory action policy amendments. The penalty notice was served on 16th October 2020. The breach affected nearly 430,000 data subjects.

There is no doubt in my mind lawyers working for BA managed to negotiate this down, perhaps even extending the terms of repayment and interest rates? We will never know for certain as those conversations would be privileged.

Recognizing the fact that the UK government supported BA through the pandemic because nobody was flying, yet BA cargo flights were a vital part of Covid-19 vaccine response. Clearly, a great argument was made by BA”s representatives to the ICO.

Consider Mitigating Circumstances

Regulation is great, but at the end of the day when a data breach happened and when an investigation pulls all of that up, all you need to be able to articulate and say is ‘this was the system, it was vulnerable, we know that, we did and executed best effort and, in the UK, the company’s fine is reduced considerably.

I feel the ICO lost a lot of respect in suggesting a massive fine for making an organization accountable and ended up being reduced to a tiny amount in comparison.

We are in a juxtaposition right now in cybersecurity where we realize that regulation and compliance without a prescriptive framework to get your organization complaint is useless. Cybersecurity is not exactly a high bar, but yet some firms struggle with this.

Ian Thornton-Trump CISO Cyjax