Stories
Slash Boxes
Comments

SoylentNews is people

GDPR Shows Its Teeth, Goes After Breached Companies

posted by chromas on Friday July 19 2019, @06:39PM   Printer-friendly
from the as-promised dept.

"upstart" writes for SoyCow7671:

GDPR Shows Its Teeth, Goes After Breached Companies

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

[...] EU regulators have long warned that non-compliance with GDPR would result in hefty penalties. Beginning as early as 2018, tech giants Facebook and Google faced scrutiny for a lack of transparency about the data they collect. They were eventually fined €56 million.

But tech companies aren't the only ones in the spotlight. CIO Dive reports that in July 2019, the UK's Information Commissioner's Office announced plans to fine British Airways and Marriott International $230 million and $124 million, respectively, for data breaches reported in 2018.

This action is a huge red flag for all companies. It signifies that GDPR is far more broad reaching than most firms had anticipated.

"The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today's data-driven world," states the regulation. "Under the GDPR, breach notifications are now mandatory in all member states where a data breach is likely to 'result in a risk for the rights and freedoms of individuals.' This must be done within 72 hours of first having become aware of the breach."

The penalties are severe. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. In the case of British Airways and Marriott, the fines were stiffer than those incurred by tech companies.

Ironically, the breach doesn't have to come from within to incur the wrath of GDPR enforcers. Marriott was never directly breached. The attack came from an already compromised server inherited during Marriott's 2016 acquisition of the Starwood Hotels group.

Marriott is not alone. Today, 59% of breaches originate with third-party vendors and 53% of acquiring businesses say they've encountered a cybersecurity issue or incident that put an M&A deal in jeopardy.

Original Submission

 
This discussion has been archived. No new comments can be posted.
GDPR Shows Its Teeth, Goes After Breached Companies | Log In/Create an Account | Top | 18 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Interesting) by Thexalon on Friday July 19 2019, @09:46PM (3 children)

    by Thexalon (636) on Friday July 19 2019, @09:46PM (#869174)

    I prefer the solution of insurance requirements rather than placing liability on a company. The difference, of course, is that with insurance you have to pay for the risks up front, whereas liability only comes into play after things have already gone terribly wrong. And it prevents the all-too-frequent problem of the liable entity conveniently going belly-up (often with the assets even more conveniently getting transferred somewhere else) rather than paying the cost of their mistakes.

    One advantage of the insurance requirement rather than liability is that it creates a financial incentive to not store information that isn't actually needed.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 2) by DannyB on Monday July 22 2019, @01:25PM (2 children)

    by DannyB (5839) Subscriber Badge on Monday July 22 2019, @01:25PM (#869924) Journal

    Liability on the company is a way to encourage them to have insurance. The Insurance Co will encourage them to have good security before they will underwrite the policy.

    --
    The lower I set my standards the more accomplishments I have.

    • (Score: 2) by Thexalon on Monday July 22 2019, @05:22PM (1 child)

      by Thexalon (636) on Monday July 22 2019, @05:22PM (#870009)

      I don't want to "encourage" it, I want to force it. Because the alternative to paying for insurance, for an unscrupulous business owner, is to stash all the assets in a different legal entity, and then when something bad happens, say "whoops, that liable organization is bankrupt, I guess we can't pay for anything now", then they re-open doing the exact same things they were doing before.

      Like you said, an insurance company will push their clients to put in good practices. That's one reason I like that solution.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.

      • (Score: 2) by DannyB on Monday July 22 2019, @06:03PM

        by DannyB (5839) Subscriber Badge on Monday July 22 2019, @06:03PM (#870023) Journal

        Forcing insurance for manufacturers or vendors is a good idea.

        I would rather keep the liability / requirements upon the manufacturer of the device. But if Amazon sells a fly-by-night device where no manufacturer can be found, then I would want the liability / penalties to fall upon them. So what about the insurance requirement?

        Maybe having insurance makes it impossible for the fly-by-night manufacturer to get away, since the insurance co. would / should know who they are.

        But what if they use fly-by-night Insurance co, from the manufacturer's brother-in-law, and suddenly the insurance company can no longer be found or goes bankrupt?

        Basically how do you catch the irresponsible and / or bad guys?

        --
        The lower I set my standards the more accomplishments I have.