SoylentNews is people
SoylentNews
GDPR Shows Its Teeth, Goes After Breached Companies
In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.
[...] EU regulators have long warned that non-compliance with GDPR would result in hefty penalties. Beginning as early as 2018, tech giants Facebook and Google faced scrutiny for a lack of transparency about the data they collect. They were eventually fined €56 million.
But tech companies aren't the only ones in the spotlight. CIO Dive reports that in July 2019, the UK's Information Commissioner's Office announced plans to fine British Airways and Marriott International $230 million and $124 million, respectively, for data breaches reported in 2018.
This action is a huge red flag for all companies. It signifies that GDPR is far more broad reaching than most firms had anticipated.
"The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today's data-driven world," states the regulation. "Under the GDPR, breach notifications are now mandatory in all member states where a data breach is likely to 'result in a risk for the rights and freedoms of individuals.' This must be done within 72 hours of first having become aware of the breach."
The penalties are severe. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. In the case of British Airways and Marriott, the fines were stiffer than those incurred by tech companies.
Ironically, the breach doesn't have to come from within to incur the wrath of GDPR enforcers. Marriott was never directly breached. The attack came from an already compromised server inherited during Marriott's 2016 acquisition of the Starwood Hotels group.
Marriott is not alone. Today, 59% of breaches originate with third-party vendors and 53% of acquiring businesses say they've encountered a cybersecurity issue or incident that put an M&A deal in jeopardy.
(Score: 0) by Anonymous Coward on Friday July 19 2019, @07:30PM (3 children)
i have no sympathy for most companies in the world, but i don't want the government deciding the market by second guessing everything and penalizing based on their likely wrong assumptions. this won't end well. before long they will be saying you get a fine b/c you didn't use brandX cloudware. brandX will be closed source shit that is lobbied to and rooted by the gov. do we let the government fine normal businesses for getting physically broken in to? not in the US that i can think of. they have to buy whatever locks are on the market or secure their premises however they choose. when people break in, the cops come and act like they are going to do something about it (take a report). then if the people who had their shit taken have money, they may sue the company and a court will decide if the company is liable. no fucking federal agency just decides and levies fines. This is not great but i'll take slow, expensive court (with a jury) over an all powerful agency any day. all that being said, if you register your company with the government and turn over financial records to them and pay them to do this shit via taxes, you kind of deserve to be lorded over like the whimpering pet you are.
(Score: 2, Insightful) by Anonymous Coward on Friday July 19 2019, @08:50PM (1 child)
For those of us who are less rich than you are, long expensive courts and juries (often corrupt) are one of the many faces of the Devil.
No, it is not money that should solve this.
Politely, I am of the completely opposite opinion than you. That the GDPR has more power than I was expecting, for me is a good thing.
But then again, I live in Europe, and all this could be because here, money is not the new god. Obviously I have more trust in the government compared to americans. Probably because I have seen it work in the benefit of the population a lot more often than americans have seen theirs do the same. At the least, it educates me free of charge all the way, from elementary, till university.
(Score: 2) by Pino P on Sunday July 21 2019, @12:06AM
Have you seen companies outside the EU stop trading in the EU because the companies cannot afford the annual fee for representation required pursuant to article 27?
(Score: 2, Interesting) by khallow on Friday July 19 2019, @11:37PM
I think higher liability for data breeches of customer information is a good idea. But it shouldn't be a surprise when the regulation happens. Here, if you were a business with a large customer base, you might already have collected liability of hundreds of millions of Euros through data breeches that you don't even know about yet from regulation that is still developing. That's not a basis for long term planning. It's a basis for short term CYA on a global scale.
My beef here is that a messy scramble is going to make everything cost more both from the hasty decisions and the incentives to CYA over making good security decisions.