Companies are being fined for failure to detect and remediate persistent data breaches.
The EU’s General Data Protection Regulation (GDPR) legislation issued its first record-setting fine – $230 million – against British Airways (BA) for its failure to protect 500,000 individual’s payment card data.
The proposed fine is equal to 1.5 percent of BA’s 2017 revenues (the breach occurred in Sep. 2018). While the fine is less than the limit allowed by GDPR (four percent) and because of the “one stop shop” provisions of GDPR, the airline will not face any additional EU fines. Nonetheless, this is a wake-up call that regulatory agencies are willing to aggressively prosecute firms that fail to provide adequate levels of privacy protection as defined by their regulations.
It has been little more than 13 months since GDPR went live.
Small business owners and enterprises have spent significant time and energy trying to become compliant, but all indications are they still have a way to go. Prior to the BA fine, there had been 206,326 cases of breaches and complaints reported so far, and about $63 million in fines issued, according to the European Data Protection Board.
Only about half of the cases have been completed and closed to date so we can expect the value of the fines to increase significantly.
BA’s Lax Security
According to an investigation by Britain’s Information Commissioner’s Office (ICO), British Airways experienced a data breach that rerouted customers to a fraudulent site designed to steal their payment card data.
The fake site enabled the hackers to harvest the personal data of approximately 500,000 BA customers over a period of more than three months (June to Sep. 2018). The ICO stated that the severity of the fine is not because the airline suffered a breach but because of BA’s poor security posture at the time of the breach.
The report claims “the ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”
BA and its parent company, International Airlines Group, plan to appeal the fine. BA has already made a number of security improvements and has apologized for the breach. The airline also noted that to-date there is no evidence of fraud or fraudulent activity at accounts linked to the hack. But no one knows what the future will bring.
Other Year-on GDPR Findings
Recently, the UK’s ICO announced it was fining Marriott $125 million for its failure to detect and remediate a data breach that persisted for four years.
The breach occurred in the now-discontinued Starwood reservation system – prior to the Starwood hotels being acquired by Marriott. While the total exposure was 339 million guest records globally, it only included 30 million Europeans. Thus, the fine represents just 0.6 percent of its 2017 revenues.
Moreover, if 10 percent of the total number of guest records were California residents, then the potential penalty due to the California’s Consumer Protection Act (CCPA) were in place at the time of the failure could be $300 million or more.
Enterprises have a long way to go before they are fully compliant with GDPR regulations – not to mention CCPA and other international privacy legislation. The largest exposure likely comes from secondary usages of privacy data, which in most cases has not be authorized or approved by consumers.
These derivative use cases are applications such as analytics and marketing applications. The best example of this type of exposure is Facebook’s $5 billion fine by the U.S. Federal Trade Commission for mishandling user personal information.
GDPR (more specifically the penalties) has moved privacy compliance from the hidden confines of the back office to the Board room.
As more and more materially significant fines are announced small business owners and IT executives can expect Board members to pay more attention to the privacy risk exposures and demand more information. Furthermore, small business executives need to be more attentive to the fact that there are many more customer databases and applications in existence than companies realize, which could come back and bite them at a later date with even more fines.
Compliance with GDPR and the patchwork quilt of privacy laws will not be an inexpensive endeavor, especially since privacy definitions, requirements, and enterprise obligations differ by regulation.
Small business owners and IT executives, and Board members, must understand the business obligations created by GDPR, other privacy laws, and increased federal oversight, and determine the budgetary requirements needed to comply with each of the consumer rights and associated business responsibilities.
Since zero compliance risk is not a reasonable expectation, small business owners need to also determine what funds and resources are needed to achieve an acceptable level of risk.