European Union regulators warned industry General Data Protection Regulation fines were on the horizon. Early violations were imposed on big tech for data broking.
Now, watchdogs are going after breached companies.
This week, the United Kingdom's Information Commissioner's Office (ICO) announced its plans to fine British Airways and Marriott International a record $230 million and $124 million, respectively. The regulator plans to penalize the companies for data breaches disclosed in 2018.
The high stakes British Airways and Marriott breaches have set under GDPR is a red flag for other companies. Breaches are largely out of the control of companies because there will always be an unseen avenue for hackers to exploit.
But GDPR is a comprehensive law and, while discrepancies are considered, infractions come down to any violation of data privacy.
"GDPR is designed to protect consumers and their data," Tim Erlin, VP of product management and strategy at Tripwire, told CIO Dive. "The type of company holding that data is irrelevant."
Bigger financial burden
Avoiding a breach forever is an impossible task. Vulnerabilities never entirely disappear and reactionary security is flawed at best.
"There is not yet a definitive code of conduct stating what 'adequate measures' are exactly, but there are industry standards and frameworks that can be used for compliance such as ISO 27001 or the NIST CSF," Odia Kagan, partner at Fox Rothschild LLP and chair of the GDPR Compliance and International Privacy Practice, told CIO Dive.
The newly released penalties are stiffer than violations made by tech companies for intentional data mismanagement. British Airways and Marriott incurred record-breaking fines for breaches, surpassing Google.
For more context, read our explainer on how GDPR fine amounts are determined.
Penalties can reach up to 4% of a company's annual revenue or €20 million, "whichever is greater," according to the regulation. Marriott International's revenue for twelve months ending on March 31, 2019 was nearly $21 billion, according to Macrotrends.
British Airways generated almost $17 billion in FY2018. Its GDPR fine represents about 1.5% of the airline's "worldwide turnover" for the fiscal year ending December 31, 2017, according to an emailed statement from British Airways.
"While Marriott may be able to absorb this financial burden, other companies are likely not large or profitable enough to do so," said Anurag Kahol, CTO and cofounder, Bitglass, in an emailed statement to CIO Dive. "For many, the cost of noncompliance can be fatally high."
Weighing the differences in fines
GDPR is a comprehensive law and while discrepancies are considered, the infraction comes down to any violation of data privacy.
Though the ICO maintains the penalties match the severity of their infringements, data breaches have become a matter of "not if, but when," which introduces the question of fairness.
"It is important for all companies to be above board with how they process data," including companies that exclusively use data just for providing services, like an airline or hotel, according to Kagan.
Marriott's breach was inherited from a corrupted Starwood Hotels and Resorts Worldwide database. Marriott acquired the company and its hacked database in 2016, leading to almost 400 million compromised international guest records.
British Airways' breach compromised far fewer consumers, roughly 500,000. But the "GDPR fines are based on the results of [the ICO's] investigation," said Erlin.
While the number of compromised victims plays a role in factoring the fine, "the details of why the breach occurred are more important," he said, and right now the public doesn't have enough information to "independently evaluate the fines."