This week, the UK’s Information Commissioner’s Office (ICO) proposed two massive fines against companies found in violation of the EU’s newly enacted General Data Protection Regulation (GDPR).
The first came on Monday when the ICO announced the proposed £183.39m fine against British Airways for a data breach in September 2018. The breach began in June 2018 after users attempting to access British Airways’ website were diverted to a fraudulent site. The attackers used this site to harvest customer information, resulting in the personal data of approximately 500,000 customers being stolen.
British Airways first notified the ICO of the cyber-attack in September 2018. According to the ICO’s statement, their investigation found that customer information was comprised due to “poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”
Then on Tuesday the ICO put out another statement, this time proposing a £99.2m fine against Marriott International for a data breach that was discovered in November 2018. The breach was the result of a compromise in the Starwood Hotels’ systems dating back to 2014. Marriott acquired Starwood in 2016 but did not discover the vulnerability until 2018. It is believed that roughly 339 million guest records were exposed between the initial breach and the time it was discovered.
With regards to the Marriott investigation, ICO Information Commissioner Elizabeth Denham stated, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
The GDPR is the EU’s wide-ranging privacy regulations, requiring companies to “implement appropriate technical and organizational measures… in an effective way… in order to meet the requirements of [the] Regulation and protect the rights of data subjects.” In addition, the regulation establishes broad privacy rights for consumers, including widened conditions of consent for companies to process personal information, the right of users to obtain information on how their data is being used, and even provides users the right to request that companies delete their information.
Under the GDPR, organizations can be fined up to €20 Million or 4% of annual global profits (whichever is greater).
Both incidents make clear that the GDPR is taking matters of consumer’s privacy extremely seriously, and they’re sending a message that companies need to as well. From the perspective of the GDPR, business are not passive victims of cyber-attacks, but directly responsible for securing consumers’ information.
Every organization should take this news to heart, no matter where they do business. Lawmakers in the U.S. are beginning to pass regulations such as the California Consumer Privacy Act that are modelled after the GDPR. Fines such as those proposed against British Airways and Marriott could be devastating to a company. So, it’s essential that all business take steps to ensure they are doing the upmost to protect their data. Now.
”