British Airways (BA) has received a record fine of £183m after details of around 500,000 of its customers were stolen in a data breach in summer 2018. The fine was possible thanks to new rules introduced last year by the EU’s General Data Protection Regulation (GDPR), which gave the British regulator powers to impose much larger penalties on companies that fail to protect their customers’ data.
But fines like these don’t just act as a business deterrent because of their financial cost. They are a method of public shaming that we can use as a form of social control to force companies to act more ethically. And research on consumer behaviour has demonstrated that social (dis)approval can be a more powerful motivator than financial factors.
The public nature of the fine is embarrassing for BA, as it reminds the public of the data breach and delivers an official verdict that the company was at fault. The huge size of the fine also indicates how serious the breach was. As a result, BA will rightly be worried about what damage the fine might do to its reputation.
Reputation is a valuable commodity for companies, and in some instances can be more important to consumers than the price of products when they are choosing who to buy from. We tend to make simplistic conclusions about the people and groups around us based on their behaviour, a phenomenon known as fundamental attribution error. This suggests a fine could lead consumers to conclude that if a company cannot protect its data - regardless of whether it has any value - then it should not be trusted on other aspects of its operations.
Although GDPR has hugely increased the size of the penalties for breaches, BA isn’t the first organisation the UK has publicly fined for breaking data protection rules, and others include Facebook, Uber and the Royal Mail. Given the importance of reputation to companies, there’s a chance these organisations would have rather accepted a higher fine in exchange for the amount not being made public.
Establishing social norms
The fine won’t just have an impact on BA either. Online data breaches are relatively new phenomena, but this sort of public shaming is an old method of social control. It sets and reinforces social norms and standards about what all organisations should be expected to be able to achieve, a message that can be intended for both businesses and the public.
My research has shown how social norms have a powerful influence over people’s behaviours and attitudes. We judge ourselves and others in relation to adherence to our collective perceptions of how we, as a society, believe we should be performing.
It’s not easy for a society to reach a consensus on what a social norm should be for a new phenomenon, especially in situations where we are uncertain about our own degree of knowledge and understanding. For most people, hacking and hackers remain a relatively murky and ill-defined threat that is hard to define or quantify, and the dangers of having your data released into the wild aren’t easy to see.
But there is evidence that consumers are becoming more concerned about businesses that do not keep their data secure, particularly after the introduction of GDPR. High-profile businesses receiving major fines could help spur this process further.
But that’s not the end of the story. At the time of the breach, BA described it as a “sophisticated, malicious, criminal attack”. This sort of narrative implies it’s difficult for organisations to protect themselves against highly motivated and technically skilled criminals. Hollywood portrayals of hackers as hoodie-wearing lone geniuses support this idea that it’s impossible for any organisation to fully prevent attacks.
While not exactly putting a positive spin on a company’s involvement in a data breach, this idea does limit the damage done to its reputation. It assumes that organisations are already doing everything they can reasonably do to protect their systems and customers.
Hacker communities take a very different position, arguing that many large organisations fail to take the basic steps that could be expected of them, despite having the resources to do so. If this is the case, we can expect to see more companies hit by penalties that could be even larger (the UK’s rules allow fines of up to 4% of a company’s turnover).
But social norms are fluid. What can seem shocking or extreme at one moment can quickly become the new normal. Heavy fines always cause financial pain to organisations, but if they become widely used and publicly reported then there’s a risk that they become seen as the cost of doing business, as arguably has happened with fines relating to health and safety. This would make fines less damaging to a company’s reputation and so less useful in forcing firms to do their best to protect customer data.
As such, only a strategic use of fines will help the public see how serious it is when organisations fail to live up to the data standards our new laws have set. If this is achieved then it may help the public understand the seriousness of data security, and in turn take greater responsibility over their own safety online.