When the General Data Protection Regulation (GDPR) went into full effect in May of 2018 there were many questions as to how the regulators through the European Union (EU) might impose fines for violations. Today, we are starting to see the full impact and magnitude of this regulation on businesses across the globe with massive fines being levied against two major corporations.
A recent article by Forbes explains proposed fines against British Airways due to a cyberattack that occurred in September 2018. The fine for $230 million proposed by the United Kingdom’s (UK) Information Commissioner’s Office (ICO) is the biggest penalty ever issued following the implementation of the GDPR.
In the incident, British Airways’ website had been hacked and set up to redirect to a fraudulent payment page where customers entered their personal and financial information. The attack compromised personal data of about 500,000 British Airways customers. British Airways reported the incident and notified customers one day after the breach, well within the required 72 hours of the GDPR. In addition to the regulatory fines, British Airways also faces a class-action lawsuit from the customers impacted by the breach.
The GDPR was designed to unify the European Union’s (EU) privacy laws and protect the personal data of its citizens. However, it’s important to note, while the regulation originates in the EU, its implications reach far beyond the borders of its member countries. The GDPR may apply to any entity that processes (collects, uses, discloses or stores) the personal data of citizens of the EU.
The D&O Diary describes another GDPR fine issued by the ICO, this time against the US-based Marriott International. The $124 million proposed fine is a result of a cyber breach that occurred prior to the acquisition of Starwood Hotels & Resorts in 2016. The incident hacked the Starwood customer loyalty program website and exposed 339 million customer records, 30 million of which were customers living in the EU and 7 million of which were in the UK. The Marriott did not discover this incident until several years later. The ICO report indicates that Marriott did not “conduct the proper due diligence” before Starwood was acquired and “should have done more to secure its systems.” It is critical for acquiring companies to always investigate cybersecurity aspects of target companies as part of the due-diligence process.
The Future of GDPR Enforcement
The newly announced fines have important implications for all organizations. It is important to note that both companies self-reported the cyber breaches and cooperated with the investigations— if they had not done so, perhaps the fines could have been larger. The maximum GDPR fine is 4% of any firm’s annual revenue. The GDPR fine is not just based on the size of the breach or the number of individuals impacted, but the type of data that has been compromised. The proposed fine against British Airways is 1.5% of the airline’s revenue and the proposed fine against Marriott represents 2.5% of the company’s global revenues. Both companies plan to appeal the fines.
These massive penalties show the potential cost of GDPR and the impact that it can have for organizations of all types and sizes. The hefty price tag of the fine is a result of GDPR’s intention to be “significant, impactful and dissuasive.” By levying this penalty, it demonstrates that regulators are not afraid to set a precedent. The significant impact to the bottom-line of these companies is designed to urge them and all other businesses to invest heavily into security enhancements and IT infrastructure that help to protect the personal data of all customers, especially EU citizens.