Recent large fines indicate that enforcement of consumer data privacy, under the General Data Protection Regulation (GDPR), is a priority for regulators. The GDPR creates mandatory rules for how companies must use and protect personal data, including any information that could identify a living person directly or indirectly, such as name, phone number, or address.
In a statement addressing a massive breach by Marriott, Elizabeth Denham, UK Information Commissioner at the Information Commissioner's Office, reminded businesses that “personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we [Information Commissioner's Office] will not hesitate to take strong action when necessary to protect the rights of the public.”
According to a Twitter poll conducted by Tripwire, a security firm, the majority of security professionals agree that fines against British Airways and Marriott for recent data breaches were deserved. Of those polled, 43 percent said the GDPR fines for British Airways and Marriott International were “appropriate” and 42 percent said they should have been greater. Only 12 percent thought the penalties were too high.
Understanding GDPR Fines
Fines for violations of the GDPR are generally determined according to the seriousness of the offense. A number of factors are taken into consideration, including:
- The scope of the infringement, including how many people were affected and the damages they suffered
- Whether the infringement was intentional or caused by negligence
- What steps the business took to mitigate damages to affected individuals
- What measures the business took to comply with the GDPR
- Whether the business has a history of infringements or corrective actions
- How cooperative the business is to remedy the infringement
- What type of data was impacted
- Who reported the infringement (the business or a third party)
- Whether the business was qualified under approved certifications and followed approved codes of conduct
- Other applicable circumstances
Once these factors are evaluated, the GDPR establishes the fine amount, which can range from a maximum of 10,000,000 EUR (approx. $11,119,000) or up to 2 percent of the total worldwide annual turnover for lesser infringements to a maximum of 20,000,000 EUR (approx. $22,238,000) or up to 4 percent of the total worldwide annual turnover for greater offenses.
British Airways Case Overview
In August/September of 2018, British Airways was affected by a large-scale breach of the private data of 380,000 passengers. The information that was obtained during the breach included customer names, addresses, and credit card information and was collected over a 15-day period. Though the airline could identify that the information had been compromised, they were not immediately aware of how the breach occurred. Under the stipulations of the GDPR, a business must report a breach within 72 hours, and British Airways alerted affected passengers within one day of discovering something had gone wrong.
A threat detection firm was brought in to investigate and get to the bottom of how the information was accessed. It was determined that hackers were able to create a new code, often referred to as a script, and run it on the airline’s baggage claim information page. Personal and financial information was then transferred to a database controlled by the hackers. In this way, the hackers could access passengers’ personal data as they purchased their tickets online rather than doing so from the airline’s server at a later date.
In July of 2019, it was reported that British Airways was facing a record fine of £183 million ($229 million) as a result of the breach. It was a strong message to the airline and to businesses everywhere that data privacy is serious business.
Marriott Case Overview
Marriott found themselves in a similar situation when, on November 30, 2018, they announced that they had suffered a breach of their reservation system back in July of 2014. The breach, which exposed 383 million accounts and affected more than 500 million people, involved payment card information, guest records (including personal identifiable information such as name, address, and phone numbers), and passport numbers. It took Marriott 11 weeks after the compromise was first reported to disclose the breach to affected individuals. This far exceeded the GDPR’s 72 hour reporting requirement.
The breach was attributed, in part, to Marriott failing to assess cybersecurity risks prior to an acquisition of a hotel chain and then terminating the IT staff of the newly acquired hotels, leaving Marriott without intel as to what may have led to the breach. Furthermore, poor data management led to a failure to encrypt personal identifying information and passport numbers.
The Marriott reported costs of the incident at about $72 million, and they still face a massive GDPR fine of more than $123 million.
Through these hefty fines, the GDPR is sending a clear message to all businesses that data breaches are serious violations resulting in costly penalties. There are steps that companies can take to reduce their risk of compromising consumer data. In addition to investing in a sound network data security system that encrypts information and identifies red flags, entities should make sure that they draft and consistently enforce specific data privacy policies and procedures. Additionally, it is pertinent that cybersecurity awareness training is given to all employees on a regular basis.
No business wants to think about a data breach occurring, but the more steps that are taken to secure personal identifying information, the less risk to the business. Equally as important as establishing a corporate compliance program is making sure that it is regularly updated to address new developments and evolving technology. Finally, should a compromise occur, companies should have a plan in place to react quickly to remedy damage and cooperate fully with authorities.