Stories
Slash Boxes
Comments

SoylentNews is people

GDPR Shows Its Teeth, Goes After Breached Companies

posted by chromas on Friday July 19 2019, @06:39PM   Printer-friendly
from the as-promised dept.

"upstart" writes for SoyCow7671:

GDPR Shows Its Teeth, Goes After Breached Companies

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

[...] EU regulators have long warned that non-compliance with GDPR would result in hefty penalties. Beginning as early as 2018, tech giants Facebook and Google faced scrutiny for a lack of transparency about the data they collect. They were eventually fined €56 million.

But tech companies aren't the only ones in the spotlight. CIO Dive reports that in July 2019, the UK's Information Commissioner's Office announced plans to fine British Airways and Marriott International $230 million and $124 million, respectively, for data breaches reported in 2018.

This action is a huge red flag for all companies. It signifies that GDPR is far more broad reaching than most firms had anticipated.

"The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today's data-driven world," states the regulation. "Under the GDPR, breach notifications are now mandatory in all member states where a data breach is likely to 'result in a risk for the rights and freedoms of individuals.' This must be done within 72 hours of first having become aware of the breach."

The penalties are severe. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. In the case of British Airways and Marriott, the fines were stiffer than those incurred by tech companies.

Ironically, the breach doesn't have to come from within to incur the wrath of GDPR enforcers. Marriott was never directly breached. The attack came from an already compromised server inherited during Marriott's 2016 acquisition of the Starwood Hotels group.

Marriott is not alone. Today, 59% of breaches originate with third-party vendors and 53% of acquiring businesses say they've encountered a cybersecurity issue or incident that put an M&A deal in jeopardy.

Original Submission

 
This discussion has been archived. No new comments can be posted.
GDPR Shows Its Teeth, Goes After Breached Companies | Log In/Create an Account | Top | 18 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by vux984 on Friday July 19 2019, @07:49PM (4 children)

    by vux984 (5045) on Friday July 19 2019, @07:49PM (#869143)

    " But I think it puts the blame possibly on the wrong party."

    Probably, in the short term, but the pressure is going to work its way back up the chain.

    If I was facing a 200 million fine, I'd find the spare change to put some lawyers on investigating whether negligent/irresponsible practices by a vendor are responsible and sue them for my damages. If it's because if it's security swiss-cheese the developer can show absolutely no documentation to support they did any sort of security testing or risk analysis at all...all while marketing that their device was all kinds of secure... then they might also be found liable. After a couple of those lawsuits; customers like marriot etc are going to demand vendors demonstrate they are taking security seriously up front, and the vendors will be making sure they're practicing some sort of quality control that will at least meet some threshold of due diligence, and the situation overall might improve.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Friday July 19 2019, @10:34PM (2 children)

    by Anonymous Coward on Friday July 19 2019, @10:34PM (#869188)

    All software comes with an eula that disclaims any and all liability, and likewise that it isn't the manufacturers fault if it doesn't "work as advertised". Every single eula ever is worded in that way. The problems begin with this mindset.

    • (Score: 2) by deimtee on Saturday July 20 2019, @09:46AM (1 child)

      by deimtee (3272) on Saturday July 20 2019, @09:46AM (#869336) Journal

      Big companies like BA and Marriott are not running their systems on a copy of MYOB. They will have service contracts and extended dealings with vendors. EULA's, even if you concede that they are contracts (which I don't), will not be relevant.

      --
      If you cough while drinking cheap red wine it really cleans out your sinuses.

      • (Score: 0) by Anonymous Coward on Saturday July 20 2019, @09:29PM

        by Anonymous Coward on Saturday July 20 2019, @09:29PM (#869468)

        And you believe the programmers and laywers involved to have a different mind set to what they do in their free time?

  • (Score: 0) by Anonymous Coward on Friday July 19 2019, @10:37PM

    by Anonymous Coward on Friday July 19 2019, @10:37PM (#869189)

    ...if it's security swiss-cheese the developer can show absolutely no documentation to support they did any sort of security testing or risk analysis at all...all while marketing that their device was all kinds of secure...

    You mean like every piece of "enterprise" software *ever*?

    Seriously, these fines are better than nothing, but they don't provide any restitution for the folks who suffered damages. I'd like to see much higher fines (company destorying levels) for data breaches (encourage companies to not hoard data and not to engage in surveillance), but the proceeds to be distributed to the victims. Even better if corporate veil was automatically pierced by a data leak incident, and major investors could also be gone after too. The current surveillance economy bullshit would end overnight.