Dear BA and Marriott: Your GDPR Fines Are Important to Us
British Airways hit with £183M GDPR fine—could your business be next?
The data protection gloves have finally come off in Europe after the EU's General Data Protection Regulation went into effect last May. Consider the tables now turned on organizations that fail to take their data protection responsibilities seriously.
On Monday, Britain's data protection authority, the Information Commissioner's Office, announced a proposed fine of £184 million ($230 million) against British Airways after breaches last September and October enabled attackers to route customers to a fraudulent site, exposing 500,000 customers' personal details. On Tuesday, the ICO confirmed a proposed fine of £99 million ($125 million) against Marriott International for its failure to stop a four-year breach that globally exposed approximately 339 million customer records. Both fines are the first major, proposed sanctions - they are not yet final - over data breaches that have occurred since GDPR enforcement began on May 25, 2018.
More GDPR fines are likely on the way, says Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting. "Many GDPR breaches, especially the highly publicized ones, can take a long time for proper investigations by the supervisory authorities," Honan tells me. "What we are seeing now are the beginnings of the supervisory authorities issuing penalties under GDPR, and I expect we will see many more over the coming months." Already, both British Airways and Marriott are attempting to spin the proposed sanctions from the same playbook, using emotive language to stand in for inconvenient facts.
Marriott's fine was first revealed after the hotel giant warned investors that it might be on the hook, via a notice to the U.S. Securities and Exchange Commission. Investors will likely now be asking the company why it failed to spend a relatively small amount to protect its systems, versus the risk of incurring a much larger fine. The proposed $230 million fine against British Airways represents about $40 per record exposed in the breach, with the total equaling about 6 percent of airlines' 2018 profit. So, the total cost of this one incident is about $500 million, or over 10 percent of BA's 2018 profit.
The message from regulators is clear: If you buy it, you own it. Also, any organization's ability to process customer data remains a privilege, not a right. Memo to all businesses that store Europeans' personal data: Act now to avoid disappointment.