Dear BA and Marriott: Your GDPR Fines Are Important to UsPrivacy Regulator's Clear Security Message: Act Now to Avoid 'Disappointment'
The data protection gloves have finally come off in Europe after the EU's General Data Protection Regulation went into effect last May. Consider the tables now turned on organizations that fail to take their data protection responsibilities seriously.
On Monday, Britain's data protection authority, the Information Commissioner's Office, announced a proposed fine of £184 million ($230 million) against British Airways after breaches last September and October enabled attackers to route customers to a fraudulent site, exposing 500,000 customers' personal details.
"It seems like large GDPR data breach investigations might be a bit like buses. You wait for a while for one and then two come at once."
On Tuesday, the ICO confirmed a proposed fine of £99 million ($125 million) against Marriott International for its failure to stop a four-year breach that globally exposed approximately 339 million customer records.
Both fines are the first major, proposed sanctions - they are not yet final - over data breaches that have occurred since GDPR enforcement began on May 25, 2018. The law empowers EU regulators to levy fines of up to 4 percent of an organization's annual global revenue or £17.9 million ($22.5 million) - whichever is greater - if they violate Europeans' privacy rights, for example, by failing to secure their personal data (see: GDPR: Europe Counts 65,000 Data Breach Notifications So Far).
"It seems like large GDPR data breach investigations might be a bit like buses. You wait for a while for one and then two come at once," says Jonathan Armstrong, an attorney at London-based Cordery.
Brace for More Fines
More GDPR fines are likely on the way, says Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting. "Many GDPR breaches, especially the highly publicized ones, can take a long time for proper investigations by the supervisory authorities," Honan tells me. "What we are seeing now are the beginnings of the supervisory authorities issuing penalties under GDPR, and I expect we will see many more over the coming months."
In a note to clients, André Bywater, also an attorney at Cordery, says of both the Marriott and BA sanctions: "It is important to stress that this is an intention to fine, i.e. it is not yet a fine."
Both businesses now have a chance to comment, as do other European data protection authorities. The ICO notes that while it has taken the lead on both investigations, "under the GDPR 'one stop shop' provisions, the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO's findings."
Already, both British Airways and Marriott are attempting to spin the proposed sanctions from the same playbook, using emotive language to stand in for inconvenient facts.
"We are surprised and disappointed in this initial finding from the ICO," said Alex Cruz, chairman and chief executive of British Airways.
"We are disappointed with this notice of intent from the ICO, which we will contest," said Arne Sorenson, president and CEO of Marriott.
File their heartbreak next to breach notifications that read: "Act now to claim your free identity theft monitoring!"
Indeed, consider the fines to be some long-awaited potential justice for data breach victims used to receiving marketingese-filled breach alerts from firms that failed to protect their personal information, filled with pronouncements about how they're working with law enforcement authorities to seek out the sophisticated criminal perpetrators, and how the security of their personal data is important to them (see: Congratulations: You Get 'Free' Identity Theft Monitoring).
As Rick Holland, CISO of threat intelligence firm Digital Shadows, notes, personal data often hasn't seemed important enough for many breached businesses to have been protecting it with any degree of sophistication in the first place.
Post breach, this statement: "We take the privacy and security of customer/client/guest information very seriously" drives me CRAZY— Rick Holland (@rickhholland) July 9, 2019
Tell It to Investors
Marriott's fine was first revealed after the hotel giant warned investors that it might be on the hook, via a notice to the U.S. Securities and Exchange Commission. Investors will likely now be asking the company why it failed to spend a relatively small amount to protect its systems, versus the risk of incurring a much larger fine.
The proposed $230 million fine against British Airways represents about $40 per record exposed in the breach, with the total equaling about 6 percent of airlines' 2018 profit, says John Pescatore, director of research for the SANS Institute. Now add that to what the company likely spent on post-breach incident response. "The hard costs - dealing with the problem, communicating with impacted customers, providing credit check services, dealing with lawsuits, etc. - are typically $50 to $75 per record, or another $250 million," he writes in a recent SANS newsletter.
"So, the total cost of this one incident is about $500 million, or over 10 percent of BA's 2018 profit," Pescatore says. "The cost of avoiding making sure the web software didn't have easily exploited vulnerabilities before it was allowed on the website would have been less than 1 percent of that eventual cost."
You Buy It, You Own It
Surely British Airways and Marriott are disappointed because the breaches trace respectively to a third party and an acquired business. Who could have seen them coming?
"These two cases are also a key lesson and reminder to companies to check the third parties they deal with, in the case of British Airways checking and securing the third-party code they used on their website, and in the case of Marriott conducting extensive due diligence on the data and relevant systems securing that data as part of an acquisition," says Honan, who is also a cybersecurity adviser to Europol, the EU's law enforcement intelligence agency.
The Marriott breach appears to have begun in 2014, when the customer database for Starwood Hotels & Resorts Worldwide was hacked. Marriott acquired Starwood in September 2016 for $13 billion, and failed to spot the breach until November 2018.
The incident recalls another, similar merger and acquisition failure involving London telecommunications giant TalkTalk, which acquired the U.K. operations of Italian telecommunications firm Tiscali in 2009. Fast-forward to October 2015, when an attacker used a SQL injection attack to breach a buggy Tiscali-era database that TalkTalk had failed to manage or retire, exposing information on 157,000 customers. The ICO responded by imposing the maximum possible sanction (see: TalkTalk Slammed with Record Fine Over Breach).
"Organizations clearly need to undertake thorough due diligence when making a corporate acquisition," writes Cordery's Bywater. "For example, during the due diligence process, a buyer will need to investigate the target business' data protection compliance, including its security systems, and when negotiating a share purchase agreement or asset purchase agreement including post-migration of personal data."
Act Now, Don't Delay
The message from regulators is clear: If you buy it, you own it. Also, any organization's ability to process customer data remains a privilege, not a right.
"Personal data has a real value, so organizations have a legal duty to ensure its security, just like they would do with any other asset," says U.K. Information Commissioner Elizabeth Denham. "If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
Memo to all businesses that store Europeans' personal data: Act now to avoid disappointment.