Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Friday July 19 2019, @06:39PM   Printer-friendly
from the as-promised dept.

GDPR Shows Its Teeth, Goes After Breached Companies

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

[...] EU regulators have long warned that non-compliance with GDPR would result in hefty penalties. Beginning as early as 2018, tech giants Facebook and Google faced scrutiny for a lack of transparency about the data they collect. They were eventually fined €56 million.

But tech companies aren't the only ones in the spotlight. CIO Dive reports that in July 2019, the UK's Information Commissioner's Office announced plans to fine British Airways and Marriott International $230 million and $124 million, respectively, for data breaches reported in 2018.

This action is a huge red flag for all companies. It signifies that GDPR is far more broad reaching than most firms had anticipated.

"The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today's data-driven world," states the regulation. "Under the GDPR, breach notifications are now mandatory in all member states where a data breach is likely to 'result in a risk for the rights and freedoms of individuals.' This must be done within 72 hours of first having become aware of the breach."

The penalties are severe. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. In the case of British Airways and Marriott, the fines were stiffer than those incurred by tech companies.

Ironically, the breach doesn't have to come from within to incur the wrath of GDPR enforcers. Marriott was never directly breached. The attack came from an already compromised server inherited during Marriott's 2016 acquisition of the Starwood Hotels group.

Marriott is not alone. Today, 59% of breaches originate with third-party vendors and 53% of acquiring businesses say they've encountered a cybersecurity issue or incident that put an M&A deal in jeopardy.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by DannyB on Friday July 19 2019, @06:58PM (12 children)

    by DannyB (5839) Subscriber Badge on Friday July 19 2019, @06:58PM (#869116) Journal

    I have argued previously that the liability should be squarely on the manufacturer. (Or vendor if manufacturer cannot be found, such as buying from fly-by-night manufacturer on Amazon.)

    People would then argue that I was advocating:
    * government standard code implementations
    * government certification of some type
    * government testing program of some type

    Nope. Nothing of the sort. Just liability where it belongs.

    This would suddenly make it a whole lot cheaper for manufacturers to:
    * put actual resources into securing their Internet of Trash implementations
    * cooperating with other manufacturers on secure practices, libraries, common implementations, etc. In an open-source like fashion.

    All that said, maybe GPDR will still end up causing it to be much cheaper to take measures not to get breached. But I think it puts the blame possibly on the wrong party. Sometimes. But maybe not always. Even if you buy a secure system, that doesn't mean you will operate it in a secure manor manner.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 0) by Anonymous Coward on Friday July 19 2019, @07:04PM

      by Anonymous Coward on Friday July 19 2019, @07:04PM (#869120)

      "Even if you buy a secure system, that doesn't mean you will operate it in a secure manner."

      Even assuming your manor is secured your hardware is still vulnerable to online attacks!

      Anyway, you nailed it with the last sentence. The burden has to start with the origin and work its way back up the chain. Vendors should create secure products, but they can't control their customers so I think the blame is being correctly placed. If privacy legislation really does take off then the company with good security will be running a gold mine.

    • (Score: 2) by vux984 on Friday July 19 2019, @07:49PM (4 children)

      by vux984 (5045) on Friday July 19 2019, @07:49PM (#869143)

      " But I think it puts the blame possibly on the wrong party."

      Probably, in the short term, but the pressure is going to work its way back up the chain.

      If I was facing a 200 million fine, I'd find the spare change to put some lawyers on investigating whether negligent/irresponsible practices by a vendor are responsible and sue them for my damages. If it's because if it's security swiss-cheese the developer can show absolutely no documentation to support they did any sort of security testing or risk analysis at all...all while marketing that their device was all kinds of secure... then they might also be found liable. After a couple of those lawsuits; customers like marriot etc are going to demand vendors demonstrate they are taking security seriously up front, and the vendors will be making sure they're practicing some sort of quality control that will at least meet some threshold of due diligence, and the situation overall might improve.

      • (Score: 0) by Anonymous Coward on Friday July 19 2019, @10:34PM (2 children)

        by Anonymous Coward on Friday July 19 2019, @10:34PM (#869188)

        All software comes with an eula that disclaims any and all liability, and likewise that it isn't the manufacturers fault if it doesn't "work as advertised". Every single eula ever is worded in that way. The problems begin with this mindset.

        • (Score: 2) by deimtee on Saturday July 20 2019, @09:46AM (1 child)

          by deimtee (3272) on Saturday July 20 2019, @09:46AM (#869336) Journal

          Big companies like BA and Marriott are not running their systems on a copy of MYOB. They will have service contracts and extended dealings with vendors. EULA's, even if you concede that they are contracts (which I don't), will not be relevant.

          --
          If you cough while drinking cheap red wine it really cleans out your sinuses.
          • (Score: 0) by Anonymous Coward on Saturday July 20 2019, @09:29PM

            by Anonymous Coward on Saturday July 20 2019, @09:29PM (#869468)

            And you believe the programmers and laywers involved to have a different mind set to what they do in their free time?

      • (Score: 0) by Anonymous Coward on Friday July 19 2019, @10:37PM

        by Anonymous Coward on Friday July 19 2019, @10:37PM (#869189)

        ...if it's security swiss-cheese the developer can show absolutely no documentation to support they did any sort of security testing or risk analysis at all...all while marketing that their device was all kinds of secure...

        You mean like every piece of "enterprise" software *ever*?

        Seriously, these fines are better than nothing, but they don't provide any restitution for the folks who suffered damages. I'd like to see much higher fines (company destorying levels) for data breaches (encourage companies to not hoard data and not to engage in surveillance), but the proceeds to be distributed to the victims. Even better if corporate veil was automatically pierced by a data leak incident, and major investors could also be gone after too. The current surveillance economy bullshit would end overnight.

    • (Score: 4, Interesting) by Thexalon on Friday July 19 2019, @09:46PM (3 children)

      by Thexalon (636) on Friday July 19 2019, @09:46PM (#869174)

      I prefer the solution of insurance requirements rather than placing liability on a company. The difference, of course, is that with insurance you have to pay for the risks up front, whereas liability only comes into play after things have already gone terribly wrong. And it prevents the all-too-frequent problem of the liable entity conveniently going belly-up (often with the assets even more conveniently getting transferred somewhere else) rather than paying the cost of their mistakes.

      One advantage of the insurance requirement rather than liability is that it creates a financial incentive to not store information that isn't actually needed.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 2) by DannyB on Monday July 22 2019, @01:25PM (2 children)

        by DannyB (5839) Subscriber Badge on Monday July 22 2019, @01:25PM (#869924) Journal

        Liability on the company is a way to encourage them to have insurance. The Insurance Co will encourage them to have good security before they will underwrite the policy.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 2) by Thexalon on Monday July 22 2019, @05:22PM (1 child)

          by Thexalon (636) on Monday July 22 2019, @05:22PM (#870009)

          I don't want to "encourage" it, I want to force it. Because the alternative to paying for insurance, for an unscrupulous business owner, is to stash all the assets in a different legal entity, and then when something bad happens, say "whoops, that liable organization is bankrupt, I guess we can't pay for anything now", then they re-open doing the exact same things they were doing before.

          Like you said, an insurance company will push their clients to put in good practices. That's one reason I like that solution.

          --
          The only thing that stops a bad guy with a compiler is a good guy with a compiler.
          • (Score: 2) by DannyB on Monday July 22 2019, @06:03PM

            by DannyB (5839) Subscriber Badge on Monday July 22 2019, @06:03PM (#870023) Journal

            Forcing insurance for manufacturers or vendors is a good idea.

            I would rather keep the liability / requirements upon the manufacturer of the device. But if Amazon sells a fly-by-night device where no manufacturer can be found, then I would want the liability / penalties to fall upon them. So what about the insurance requirement?

            Maybe having insurance makes it impossible for the fly-by-night manufacturer to get away, since the insurance co. would / should know who they are.

            But what if they use fly-by-night Insurance co, from the manufacturer's brother-in-law, and suddenly the insurance company can no longer be found or goes bankrupt?

            Basically how do you catch the irresponsible and / or bad guys?

            --
            People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 0) by Anonymous Coward on Saturday July 20 2019, @03:19PM (1 child)

      by Anonymous Coward on Saturday July 20 2019, @03:19PM (#869392)

      Dear DannyB,

         

          Taking measures to not get breached sounds like it will cut into my Q2 bonus.

         

          I'll pass on that.

         

      Sincerely,

      CEO

      • (Score: 2) by DannyB on Monday July 22 2019, @01:25PM

        by DannyB (5839) Subscriber Badge on Monday July 22 2019, @01:25PM (#869925) Journal

        Getting breached SHOULD cut into your current bonus and prevent you from ever having any future bonuses.

        Which is choice is more gooder?

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 1) by fustakrakich on Friday July 19 2019, @07:05PM

    by fustakrakich (6150) on Friday July 19 2019, @07:05PM (#869121) Journal

    Let's hope they go after the really big companies, banks, credit agencies, etc. Will they feel the 4%? Or just skim the dividends and raise ATM fees? Are their corporate charters up for grabs?

    --
    La politica e i criminali sono la stessa cosa..
  • (Score: 0) by Anonymous Coward on Friday July 19 2019, @07:30PM (3 children)

    by Anonymous Coward on Friday July 19 2019, @07:30PM (#869130)

    i have no sympathy for most companies in the world, but i don't want the government deciding the market by second guessing everything and penalizing based on their likely wrong assumptions. this won't end well. before long they will be saying you get a fine b/c you didn't use brandX cloudware. brandX will be closed source shit that is lobbied to and rooted by the gov. do we let the government fine normal businesses for getting physically broken in to? not in the US that i can think of. they have to buy whatever locks are on the market or secure their premises however they choose. when people break in, the cops come and act like they are going to do something about it (take a report). then if the people who had their shit taken have money, they may sue the company and a court will decide if the company is liable. no fucking federal agency just decides and levies fines. This is not great but i'll take slow, expensive court (with a jury) over an all powerful agency any day. all that being said, if you register your company with the government and turn over financial records to them and pay them to do this shit via taxes, you kind of deserve to be lorded over like the whimpering pet you are.

    • (Score: 2, Insightful) by Anonymous Coward on Friday July 19 2019, @08:50PM (1 child)

      by Anonymous Coward on Friday July 19 2019, @08:50PM (#869160)

      For those of us who are less rich than you are, long expensive courts and juries (often corrupt) are one of the many faces of the Devil.
      No, it is not money that should solve this.

      Politely, I am of the completely opposite opinion than you. That the GDPR has more power than I was expecting, for me is a good thing.
      But then again, I live in Europe, and all this could be because here, money is not the new god. Obviously I have more trust in the government compared to americans. Probably because I have seen it work in the benefit of the population a lot more often than americans have seen theirs do the same. At the least, it educates me free of charge all the way, from elementary, till university.

      • (Score: 2) by Pino P on Sunday July 21 2019, @12:06AM

        by Pino P (4721) on Sunday July 21 2019, @12:06AM (#869479) Journal

        Politely, I am of the completely opposite opinion than you. That the GDPR has more power than I was expecting, for me is a good thing.
        But then again, I live in Europe, and all this could be because here, money is not the new god.

        Have you seen companies outside the EU stop trading in the EU because the companies cannot afford the annual fee for representation required pursuant to article 27?

    • (Score: 2, Interesting) by khallow on Friday July 19 2019, @11:37PM

      by khallow (3766) Subscriber Badge on Friday July 19 2019, @11:37PM (#869210) Journal
      Consider the line:

      This action is a huge red flag for all companies. It signifies that GDPR is far more broad reaching than most firms had anticipated.

      I think higher liability for data breeches of customer information is a good idea. But it shouldn't be a surprise when the regulation happens. Here, if you were a business with a large customer base, you might already have collected liability of hundreds of millions of Euros through data breeches that you don't even know about yet from regulation that is still developing. That's not a basis for long term planning. It's a basis for short term CYA on a global scale.

      My beef here is that a messy scramble is going to make everything cost more both from the hasty decisions and the incentives to CYA over making good security decisions.

(1)