Do the regulators take into account whether the firm is actually at fault?
Without considering what happened in this specific scenario, surely there are cases where companies take the utmost care, follow standard security principles and still get hacked; or the issue was not with the company operating the website but rather with, say, a hardware manufacturer?
> Do the regulators take into account whether the firm is actually at fault?
To echo others: yes, a lot. To quote the Information Commissioner:
> "I have no intention of changing the ICO’s proportionate and pragmatic approach after 25 May [the GDPR intro date] ... Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law."
Yes, the regulators do take all things into consideration. A fine is the final measure.
In case of BA they ran third-party scripts on account and payment pages without users’ consent, did bot remove them even after being alerted to it, and then succumbing to a data breach because of that.
They do in some form. Largely though, "regulator" action tends to be outcome based. Relying on "standards" can be difficult. In some caes, standards exist and ignoring them can point to negligence. Conversely though, standards don't exist for a lot of things and when they do, they're not a full solution. IE, it's possible to follow "standard security practices," while still being insecure. If regulators make that a "get-out"... you may as well just have legislation instead of a regulator.
In recent times, regulators and legislators don't understand the problems (maybe no one does) sufficiently to be specific with rules. They demand general things, outcomes (you will not lose data) and general operating principles (you will secure your users' data , have good policies, and enforce them).
Both data protection (eg gdpr) and anti money laundering rules are examples of recent areas that work this way. If a bank's customer has been depositing stolen money, financing terrorism or something... the bank is at risk. Their policies will be examined and circumstances do get taken into account, but the "standards" they're judged against aren't absolute and standards compliance doesn't totally protect them. OTOH, if they don't adhere to their own policies or the policies are bad... it is enough to get them in trouble.
Lawyers, btw, hate this emerging system.
In short, modern "regulator enforcement" is a lot less legible & "letter of the law" oriented than legal environments that we are going used to.
Without considering what happened in this specific scenario, surely there are cases where companies take the utmost care, follow standard security principles and still get hacked; or the issue was not with the company operating the website but rather with, say, a hardware manufacturer?