It isn’t that no one saw it coming. After all, today’s regimen of European Union General Data Protection Regulations had been crafted under public scrutiny since 2012 and in full force since May 2018. But its implementation left a degree of uncertainty, particularly among multinationals.
In essence, the GDPR requires corporate and state custodians of personal data to secure that information in order to protect the privacy of European citizens, as well as banning the export of personal data to countries outside that region. Violations, according to the protocol, could result in fines as high as 4 percent of an organization’s annual revenues.
Before the new law went into effect, lamentations over the size of prospective fines were widely heard, and during the first year the regulations were in place, GDPR did, in fact, cite a number of violators. Fines totaling $56 million were levied against those named. That is not a trivial amount, but for multibillion-dollar companies, it’s a comparatively minor cost of doing business. So, while GDPR did provide for significant fines, following their first years’ experience, many businesses felt fines would remain relatively low.
Then came news of a 2014 breach at Starwood Hotels & Resorts – one that resulted in a major loss of customer data including passwords, payment card numbers, and other personally identifiable information. Marriott, which acquired Starwood in 2016, may not have known about the breach or fully understood its significance at the time. But being hit with a $124 million fine for the incident in 2018 – approximately 2 percent of the organization’s annual revenue – was certainly a wake-up call for the global hotelier.
It also served as a wake-up call to other companies considering mergers and acquisitions. Marriott clearly got more than it bargained for when it acquired Starwood, with significant implications for its balance sheet. What it initially saw as a competitive advantage morphed into a financial burden, in addition to damaging its reputation among potential guests. Without evaluating the cyber risks to sensitive data held by an acquisition target – without confirming the presence of robust detection and response capabilities around that data – the liability associated with its compromise becomes an unwelcome part of the bargain.
Something similar happened in 2017, after two massive breaches of Yahoo data were disclosed at a time when the company was about to be acquired by Verizon. As a result, the terms of the sale abruptly changed. Verizon ended up paying $350 million less than it originally offered. Beyond that, the two organizations agreed to share the legal and regulatory liabilities resulting from approximately 1.5 billion hacked accounts.
This year’s fine against Marriott also punctured another widely held belief in Europe. Prior experience with issues involving personal information suggested that, once the GDPR was in place, the social media giants – the Facebooks and Googles of the world – would be its primary targets. Although social media remain of keen interest to regulators, the Starwood incident showed that the circle of potential wrongdoing extends to other types of businesses as well.
GDPR did not, however, create a cyber police force to search for violations. Instead, a key component of the protocols involves self-reporting of breaches. Organizations are required to report the exposure of personal data to regulators and affected individuals within 72 hours after becoming aware of such breaches. Reportable breaches could be as minor as an inadvertent BCC sent to someone, or as major as a detailed customer database exposed online. IAPP – the Information Assurance and Privacy Practitioners – recently issued a study of what happened the first year of GDPR. Throughout Europe and its partner nations, between May 2018 and February 2019, regulators received approximately 59,000 breach notifications; 91 of them resulted in fines, most of which were relatively small. However, in the view of many observers, the actual number of breaches may be far greater, many of which could involve the exposure of thousands or even millions of files.
The drive to protect personal data is not unique to Europe. While national legislation may be a victim of partisan gridlock, the U.S. Federal Trade Commission recently approved a $5 billion fine against Facebook for mishandling users’ personal information. Singapore has its own Personal Data Protection Act, similar to GDPR. Australia has its Privacy Principles. Even South Africa has a detailed privacy protocol.
But while the world has witnessed progress in the protection of personal data and in the priority given to third-party risk management, significant cultural differences affecting the ownership of information remain. In the United States, for example, many types of data which would be considered off limits in Europe are openly collected and freely exchanged. For companies based in the U.S. with customers and files in many different countries, reconciling conflicting practices and laws is likely to remain a serious headache for years to come.
Related: GDPR: One Year Down – Now What?