BA's record fine could help make the public take data security more seriously
,
British Airways (BA) has received a after details of around 500,000 of its customers were stolen in a data breach . The fine was possible thanks to new rules introduced last year by the EU鈥檚 , which gave the British regulator powers to impose much larger penalties on companies that fail to protect their customers鈥 data.
But fines like these don鈥檛 just act as a business deterrent because of their financial cost. They are a method of public shaming that we can use as a form of social control to force companies to act more ethically. And has demonstrated that social (dis)approval can be a more powerful motivator than financial factors.
The public nature of the fine is embarrassing for BA, as it reminds the public of the data breach and delivers an official verdict that the company was at fault. The huge size of the fine also indicates how serious the breach was. As a result, BA will rightly be worried about what damage the fine might do to its reputation.
Reputation is a valuable commodity for companies, and in some instances can be to consumers than the price of products when they are choosing who to buy from. We tend to make simplistic conclusions about the people and groups around us based on their behaviour, a phenomenon known as . This suggests a fine could lead consumers to conclude that if a company cannot protect its data - regardless of whether it has any value - then it should not be trusted on other aspects of its operations.
Although GDPR has hugely increased the size of the penalties for breaches, BA isn鈥檛 the first organisation the UK has publicly fined for breaking data protection rules, and Facebook, Uber and the Royal Mail. Given the importance of reputation to companies, there鈥檚 a chance these organisations would have rather accepted a higher fine in exchange for the amount not being made public.
Establishing social norms
The fine won鈥檛 just have an impact on BA either. Online data breaches are relatively new phenomena, but this sort of public shaming is an old method of . It sets and reinforces social norms and standards about what all organisations should be expected to be able to achieve, a message that can be intended for both businesses and the public.
My research has shown how social norms over people鈥檚 behaviours and attitudes. We judge ourselves and others in relation to adherence to our collective perceptions of how we, as a society, believe we should be performing.
It鈥檚 not easy for a society to reach a consensus on what a social norm should be for a new phenomenon, especially in situations where we are uncertain about our own degree of knowledge and understanding. For most people, hacking and hackers remain a relatively murky and ill-defined threat that is hard to define or quantify, and the dangers of having your data released into the wild .
But that consumers are becoming more concerned about businesses that do not keep their data secure, particularly after the introduction of GDPR. High-profile businesses receiving major fines could help spur this process further.
Stereotypical portrayals of hackers don鈥檛 help.
New normal
But that鈥檚 not the end of the story. At the time of the breach, BA described it as a 鈥渟ophisticated, malicious, criminal attack鈥. This sort of narrative implies it鈥檚 difficult for organisations to protect themselves against highly motivated and technically skilled criminals. of hackers as hoodie-wearing lone geniuses support this idea that it鈥檚 impossible for any organisation to fully prevent attacks.
While not exactly putting a positive spin on a company鈥檚 involvement in a data breach, this idea does limit the damage done to its reputation. It assumes that organisations are already doing everything they can reasonably do to protect their systems and customers.
Hacker communities take a , arguing that many large organisations fail to take the basic steps that could be expected of them, despite having the resources to do so. If this is the case, we can expect to see more companies hit by penalties that could be even larger (the UK鈥檚 rules allow fines of up to ).
But social norms are fluid. What can seem shocking or extreme at one moment can quickly become the . Heavy fines always cause financial pain to organisations, but if they become widely used and publicly reported then there鈥檚 a risk that they become seen as the cost of doing business, as arguably has happened with fines relating to . This would make fines less damaging to a company鈥檚 reputation and so less useful in forcing firms to do their best to protect customer data.
As such, only a strategic use of fines will help the public see how serious it is when organisations fail to live up to the data standards our new laws have set. If this is achieved then it may help the public understand the seriousness of data security, and in turn take greater responsibility over their own safety online.
, Associate Professor in Psychology,
This article is republished from under a Creative Commons license. Read the .
