23 October 2020
In May 2020, UK airline EasyJet announced that the personal data of over 9 million of its customers had been breached in a cyberattack.
The airline could face massive financial and reputational consequences, including a multi-billion dollar lawsuit and a possible administrative fine under the EU General Data Protection Regulation (GDPR).
This article will look at what happened, the possible impact on EasyJet, and what the GDPR says about avoiding and reporting data breaches.
Here's what we know so far about the EasyJet data breach and its consequences.
Between October 17, 2019, and March 4, 2020, a "highly sophisticated attacker" exfiltrated over 9 million EasyJet customers' records. The compromised data included email addresses, travel information, and, in some cases, payment card information.
EasyJet put out a statement on May 19, 2020, apologizing to its customers. It said it would individually notify every affected customer by May 26.
The hackers' identities, techniques, and motives remain unknown.
It's hard to predict what penalties might be imposed on EasyJet as a result of this incident. However, given the scale of the breach, EasyJet could face a substantial fine.
In July 2019, the UK's Data Protection Authority (DPA), the Information Commissioner's Office (ICO), announced its intention to fine British Airways, another UK airline, for £183.39 million (approximately $236.35 million). The British Airways data breach involved just 500,000 individuals.
So what sort of a fine awaits EasyJet? Let's look at the two classes of "administrative fines" under the GDPR.
Under Article 83 (3), a data controller or processor can be subject to a fine of up to:
"Article 83 (3)" fines are the smaller of the two classes of fine and can be imposed for breaching most parts of the GDPR, including the failure to implement proper data protection and cybersecurity measures.
Heavier fines are available under Article 83 (3), whereby a data controller or processor can be liable for up to:
Article 83 (4) fines are reserved for more serious violations of the GDPR, including:
If EasyJet violated Article 32 of the GDPR, by failing to implement appropriate data security measures, this is most likely to result in an "Article 83 (3)" fine.
However, if it is determined that EasyJet violated the GDPR's principle of "confidentiality and integrity," a larger, "Article 84 (4)" fine is possible.
Whichever type of fine EasyJet received (if any), it is unlikely that EasyJet will receive the very largest fine available.
Article 83 (2) GDPR sets out the factors relevant to determining how large a fine should be:
In the event of a data breach, several factors determine the size of a fine, including:
Legal firm PGMBM is taking forward a "representative claim" (class action) to the English High Court. The firm says that claimants could receive "up to $2000 or €2000 in certain cases." On this basis, the total damages could be up to €19 billion (approximately $22.4 billion).
The case is proceeding under the UK's Data Protection Act 2018, which incorporates the GDPR, and English civil law ("the torts of misuse of private information/breach of confidence," according to PGMBM).
It is very hard to say whether the case will succeed. The English legal system has not recognized many "class action"-style lawsuits.
Article 82 of the GDPR grants a "right to compensation and liability," whereby "any person who has suffered material or non-material damage as a result of an infringement" can receive compensation (damages) from a data controller.
Despite some very large administrative fines, there have been few examples of successful legal claims under the GDPR. But either way, being subject to a multi-billion dollar lawsuit is something that any business will want to avoid.
It is unclear how much responsibility EasyJet bears for this data breach, and whether it took all reasonable steps to secure its customers' personal data.
Article 32 of the GDPR requires data controllers and processors to keep personal data secure:
The above excerpt is quite general, and the only specific measure suggested is "the pseudonymization and encryption of personal data."
Other measures to protect personal data include:
There is no suggestion that EasyJet failed to implement these sorts of measures. However, the extent of any penalty or damages will be partly determined by how well EasyJet secured its customers' personal data.
To avoid suffering the same issues as EasyJet, you must take every reasonable step to secure your customers' personal data. For more information, see our article Protecting Personal Data in Your Business.
The GDPR provides a procedure for reporting a suspected or actual data breach. Let's take a look at this procedure and whether EasyJet appears to have followed it.
By reporting its data breach to the UK's DPA, EasyJet was following Article 33 of the GDPR:
Under the GDPR, it's not necessary to report every data breach.
Article 33 states a data controller must notify its DPA about a breach unless "is unlikely to result in a risk to the rights and freedoms of natural persons." "Natural persons" means any individual, not just the data subjects whose personal data was breached.
Data processors who suffer a breach must inform their data controller.
So how do you know whether a data breach is serious enough to report to the DPA? What is a "risk to the rights and freedoms of natural persons"? Recital 85 provides some insight:
The above excerpt provides the following examples of incidents that might trigger data breach notification:
EasyJet's data breach involved the following types of personal data:
Due to the risks of identity theft and financial loss, it was clearly necessary for EasyJet to report its data breach to the ICO.
If you are in any doubt as to whether you need to report a data breach, we recommend that you report it.
If you decide not to report a data breach to your DPA, you must still record the incident and to detail your assessment, in case you have to justify this decision at a later date.
According to Article 33, you must notify your DPA "without undue delay and, where feasible, not later than 72 hours after having become aware of it."
If you are unable, for whatever reason, to report a data breach to your DPA within 72 hours, you must explain the reasons for your delay.
Unnecessarily delaying notification would be considered a very serious breach of the GDPR, and could make any penalties imposed due to your data breach more severe.
Article 33 (3) sets out what you need to tell your DPA:
In summary, your data breach notification to the DPA must include information about:
If your notification is late, you must also explain why.
Article 34 of the GDPR requires controllers to notify the data subjects that have been affected by a data breach, as well as the DPA. This rule only applies under certain conditions:
"Data subjects" are individuals to whom personal data relates. In the case of the EasyJet breach, this means EasyJet's customers.
Article 34 states that controllers must notify data subjects about a breach if it "is likely to result in a high risk to rights and freedoms of natural persons." The distinction between Article 33 and Article 34, in this regard" is the word "high."
The ICO provides an example of where notification to data subjects must occur:
In the above example, the ICO considers the nature of the personal data and the consequences of the data breach.
In the EasyJet case, the nature of the personal data involved is relatively sensitive, including financial and travel data. However, it appears that no "special category" (sensitive) personal data was breached.
The consequences of the data breach appear to have been significant. Initially, EasyJet said there was no evidence that the data had been misused. However, UK police agency Action Fraud reported in June that £11,752.81 in losses had been reported.
On balance, the EasyJet case certainly appears to have met the threshold for data subject notification.
Article 34 provides three reasons why a controller might not need to notify data subjects:
A controller may not need to notify data subjects if:
The threshold for the "disproportionate effort" exception appears to be very high. Even though the EasyJet case involved around 9 million data subjects, EasyJet was still required to notify them individually in addition to making a "public communication."
Note that the GDPR requires notification to be given to data subjects "without undue delay." EasyJet reportedly became aware of the breach in January 2020, but it did not notify data subjects until May 19, 2020.
So, what's behind this delay? Does the GDPR cite any acceptable reasons to delay notification of data subjects for two months? Will this cause a problem for EasyJet?
Regarding the reason for delaying notification of its customers about the breach, an EasyJet spokesperson told the BBC:
"We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed."
If EasyJet did not know the identities of the affected customers until May, then it may be reasonable that it did not notify the data subjects earlier.
Note that certain data breach laws, such as the New York Shield Act, require a business to publicize a data breach on its website and via broadcast media channels whether or not the affected individuals' identities are known.
The GDPR does not require controllers to publicize data breaches in this way. However, the controller can make "a public communication or similar measure" if "it would involve disproportionate effort" to notify individual data subjects. It's not clear why EasyJet did not do this in early January.
Most importantly, EasyJet did notify the ICO in a timely way, and the regulator has apparently guided the company throughout its breach response.
Article 34 (4) states that Data Protection Authorities may take decisions about notifying data subjects of a breach:
Also, note that Recital 86 states that controllers should work in close co-operation with the DPA when notifying data subjects about a breach, and should respect the DPA's guidance:
In addition to the reasons for delaying notification to data subjects discussed above, Recital 86 gives another reason why it may be justifiable to delay notifying data subjects:
The above excerpt effectively states that you may prioritize containing a data breach over notifying data subjects.
Furthermore, Recital 88 provides another potential reason for delaying notification to data subjects:
The above excerpt states that you may need to delay notifying data subjects about a data breach if notifying them earlier would hamper a legal investigation into the data breach.
Article 34 states that your notification to data subjects must state, in "clear and plain language":
You should also inform data subjects of any steps they can take to mitigate the impact of the breach, for example:
For more information, see our article GDPR Data Breach Notice Letter.
The extent of the damage to EasyJet remains unknown. It may face a significant administrative fine and have to pay substantial damages to its customers.
However, even if the issue were resolved tomorrow, the airline has already spent time and resources trying to mitigate the impact of its data breach and protect its reputation.
The case serves as an important reminder for your business to be proactive in its GDPR-compliance efforts:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.