European regulators are showing they are serious about the new privacy and data security regulations as they slap hefty fines against Marriott and British Airways for not properly safeguarding consumer data.
The big question when the European Union’s General Data Protection Regulation took effect last May was whether organizations would take the requirements seriously and change how they handle consumer data, or if they would just include the penalties as part of the cost of doing business. British Airways have to pay £183.39 million (or $230 million) in penalties for a 2018 data breach impacting 500,000 customers. Marriott International has been fined £99,200,396 (or $124.2 million) because unauthorized individuals had access to the guest reservation database and were able to exfiltrate customer data for years.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” said United Kingdom’s Information Commissioner Elizabeth Denham in a statement of the intention to fine Marriott.
That’s over $350 million, or €314 million, in proposed sanctions against just two companies (Marriott plans to appeal, so the final penalty may change). Under the new rules, EU regulators can levy fines of up to 4 percent of an organization’s annual global revenue, or £17.9 million ($22.5 million), whichever is greater. The BA fine, which is 1.5 percent of the airline’s 2017 revenue, was the biggest ever issued by the ICO and the first after GDPR went into effect. In context, before last year, the largest fine from the UK ICO was £500,000, or $625,000.
The fact that the fines are so large will make it harder for organizations to defer security investments or shrug off security decisions as “not important right now.” Security performance has to be measured and managed in the same way as other business issues. The price to pay for not doing is getting higher.
“These fines make it clear -- executives and boards are responsible and accountable for cybersecurity,” said Jake Olcott, vice-president at BitSight, a cybersecurity ratings company.
Organizations now have a clear picture of what it would cost them if they decide to delay making security improvements, or don’t fully assess their procedures to understand what they are doing, said Tim Mackey, principal security strategist CyRC at Synopsys. “These efforts range from secure development practices, up to date threat models, identification of dependency risks all the way through to penetration tests and comprehensive security audits,” he said.