Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.
posted by chromas on Friday July 19 2019, @06:39PM   Printer-friendly
from the as-promised dept.

GDPR Shows Its Teeth, Goes After Breached Companies

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

[...] EU regulators have long warned that non-compliance with GDPR would result in hefty penalties. Beginning as early as 2018, tech giants Facebook and Google faced scrutiny for a lack of transparency about the data they collect. They were eventually fined €56 million.

But tech companies aren't the only ones in the spotlight. CIO Dive reports that in July 2019, the UK's Information Commissioner's Office announced plans to fine British Airways and Marriott International $230 million and $124 million, respectively, for data breaches reported in 2018.

This action is a huge red flag for all companies. It signifies that GDPR is far more broad reaching than most firms had anticipated.

"The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today's data-driven world," states the regulation. "Under the GDPR, breach notifications are now mandatory in all member states where a data breach is likely to 'result in a risk for the rights and freedoms of individuals.' This must be done within 72 hours of first having become aware of the breach."

The penalties are severe. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. In the case of British Airways and Marriott, the fines were stiffer than those incurred by tech companies.

Ironically, the breach doesn't have to come from within to incur the wrath of GDPR enforcers. Marriott was never directly breached. The attack came from an already compromised server inherited during Marriott's 2016 acquisition of the Starwood Hotels group.

Marriott is not alone. Today, 59% of breaches originate with third-party vendors and 53% of acquiring businesses say they've encountered a cybersecurity issue or incident that put an M&A deal in jeopardy.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by DannyB on Friday July 19 2019, @06:58PM (12 children)

    by DannyB (5839) Subscriber Badge on Friday July 19 2019, @06:58PM (#869116) Journal

    I have argued previously that the liability should be squarely on the manufacturer. (Or vendor if manufacturer cannot be found, such as buying from fly-by-night manufacturer on Amazon.)

    People would then argue that I was advocating:
    * government standard code implementations
    * government certification of some type
    * government testing program of some type

    Nope. Nothing of the sort. Just liability where it belongs.

    This would suddenly make it a whole lot cheaper for manufacturers to:
    * put actual resources into securing their Internet of Trash implementations
    * cooperating with other manufacturers on secure practices, libraries, common implementations, etc. In an open-source like fashion.

    All that said, maybe GPDR will still end up causing it to be much cheaper to take measures not to get breached. But I think it puts the blame possibly on the wrong party. Sometimes. But maybe not always. Even if you buy a secure system, that doesn't mean you will operate it in a secure manor manner.

    --
    To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Friday July 19 2019, @07:04PM

    by Anonymous Coward on Friday July 19 2019, @07:04PM (#869120)

    "Even if you buy a secure system, that doesn't mean you will operate it in a secure manner."

    Even assuming your manor is secured your hardware is still vulnerable to online attacks!

    Anyway, you nailed it with the last sentence. The burden has to start with the origin and work its way back up the chain. Vendors should create secure products, but they can't control their customers so I think the blame is being correctly placed. If privacy legislation really does take off then the company with good security will be running a gold mine.

  • (Score: 2) by vux984 on Friday July 19 2019, @07:49PM (4 children)

    by vux984 (5045) on Friday July 19 2019, @07:49PM (#869143)

    " But I think it puts the blame possibly on the wrong party."

    Probably, in the short term, but the pressure is going to work its way back up the chain.

    If I was facing a 200 million fine, I'd find the spare change to put some lawyers on investigating whether negligent/irresponsible practices by a vendor are responsible and sue them for my damages. If it's because if it's security swiss-cheese the developer can show absolutely no documentation to support they did any sort of security testing or risk analysis at all...all while marketing that their device was all kinds of secure... then they might also be found liable. After a couple of those lawsuits; customers like marriot etc are going to demand vendors demonstrate they are taking security seriously up front, and the vendors will be making sure they're practicing some sort of quality control that will at least meet some threshold of due diligence, and the situation overall might improve.

    • (Score: 0) by Anonymous Coward on Friday July 19 2019, @10:34PM (2 children)

      by Anonymous Coward on Friday July 19 2019, @10:34PM (#869188)

      All software comes with an eula that disclaims any and all liability, and likewise that it isn't the manufacturers fault if it doesn't "work as advertised". Every single eula ever is worded in that way. The problems begin with this mindset.

      • (Score: 2) by deimtee on Saturday July 20 2019, @09:46AM (1 child)

        by deimtee (3272) on Saturday July 20 2019, @09:46AM (#869336) Journal

        Big companies like BA and Marriott are not running their systems on a copy of MYOB. They will have service contracts and extended dealings with vendors. EULA's, even if you concede that they are contracts (which I don't), will not be relevant.

        --
        If you cough while drinking cheap red wine it really cleans out your sinuses.
        • (Score: 0) by Anonymous Coward on Saturday July 20 2019, @09:29PM

          by Anonymous Coward on Saturday July 20 2019, @09:29PM (#869468)

          And you believe the programmers and laywers involved to have a different mind set to what they do in their free time?

    • (Score: 0) by Anonymous Coward on Friday July 19 2019, @10:37PM

      by Anonymous Coward on Friday July 19 2019, @10:37PM (#869189)

      ...if it's security swiss-cheese the developer can show absolutely no documentation to support they did any sort of security testing or risk analysis at all...all while marketing that their device was all kinds of secure...

      You mean like every piece of "enterprise" software *ever*?

      Seriously, these fines are better than nothing, but they don't provide any restitution for the folks who suffered damages. I'd like to see much higher fines (company destorying levels) for data breaches (encourage companies to not hoard data and not to engage in surveillance), but the proceeds to be distributed to the victims. Even better if corporate veil was automatically pierced by a data leak incident, and major investors could also be gone after too. The current surveillance economy bullshit would end overnight.

  • (Score: 4, Interesting) by Thexalon on Friday July 19 2019, @09:46PM (3 children)

    by Thexalon (636) on Friday July 19 2019, @09:46PM (#869174)

    I prefer the solution of insurance requirements rather than placing liability on a company. The difference, of course, is that with insurance you have to pay for the risks up front, whereas liability only comes into play after things have already gone terribly wrong. And it prevents the all-too-frequent problem of the liable entity conveniently going belly-up (often with the assets even more conveniently getting transferred somewhere else) rather than paying the cost of their mistakes.

    One advantage of the insurance requirement rather than liability is that it creates a financial incentive to not store information that isn't actually needed.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    • (Score: 2) by DannyB on Monday July 22 2019, @01:25PM (2 children)

      by DannyB (5839) Subscriber Badge on Monday July 22 2019, @01:25PM (#869924) Journal

      Liability on the company is a way to encourage them to have insurance. The Insurance Co will encourage them to have good security before they will underwrite the policy.

      --
      To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
      • (Score: 2) by Thexalon on Monday July 22 2019, @05:22PM (1 child)

        by Thexalon (636) on Monday July 22 2019, @05:22PM (#870009)

        I don't want to "encourage" it, I want to force it. Because the alternative to paying for insurance, for an unscrupulous business owner, is to stash all the assets in a different legal entity, and then when something bad happens, say "whoops, that liable organization is bankrupt, I guess we can't pay for anything now", then they re-open doing the exact same things they were doing before.

        Like you said, an insurance company will push their clients to put in good practices. That's one reason I like that solution.

        --
        The only thing that stops a bad guy with a compiler is a good guy with a compiler.
        • (Score: 2) by DannyB on Monday July 22 2019, @06:03PM

          by DannyB (5839) Subscriber Badge on Monday July 22 2019, @06:03PM (#870023) Journal

          Forcing insurance for manufacturers or vendors is a good idea.

          I would rather keep the liability / requirements upon the manufacturer of the device. But if Amazon sells a fly-by-night device where no manufacturer can be found, then I would want the liability / penalties to fall upon them. So what about the insurance requirement?

          Maybe having insurance makes it impossible for the fly-by-night manufacturer to get away, since the insurance co. would / should know who they are.

          But what if they use fly-by-night Insurance co, from the manufacturer's brother-in-law, and suddenly the insurance company can no longer be found or goes bankrupt?

          Basically how do you catch the irresponsible and / or bad guys?

          --
          To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
  • (Score: 0) by Anonymous Coward on Saturday July 20 2019, @03:19PM (1 child)

    by Anonymous Coward on Saturday July 20 2019, @03:19PM (#869392)

    Dear DannyB,

       

        Taking measures to not get breached sounds like it will cut into my Q2 bonus.

       

        I'll pass on that.

       

    Sincerely,

    CEO

    • (Score: 2) by DannyB on Monday July 22 2019, @01:25PM

      by DannyB (5839) Subscriber Badge on Monday July 22 2019, @01:25PM (#869925) Journal

      Getting breached SHOULD cut into your current bonus and prevent you from ever having any future bonuses.

      Which is choice is more gooder?

      --
      To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.