The fines levied by the EU this past week against British Airways and Marriott International are the largest fines imposed under the General Data Protection Regulation, enacted just over a year ago. The U.K. Information Commissioner’s Office (ICO) fined British Airways a proposed $230 million penalty for an incident that compromised the data of some 500,000 customers which occurred between June through September of 2018. The ICO fined Marriott a proposed $123 million for the loss of 339 million guest records in November 2018. For more on that, see the story at CNBC.
Massive GDPR Fines Mean Investors, Board Members Rethink Cybersecurity
Analyst Take: Ask a company’s board or investors doing their due diligence what GDPR is and how it impacts a company, chances are good some might fumble about for an answer. Massive GDPR fines recently totaling in excess of $350 million US assessed against Marriott and British Airways are likely changing that—if not, they should be.
The EU’s GDPR changed everything about business operations, impacting companies of all sizes all over the world. If privacy, data security, and company-wide security awareness, data protection protocols, and cybersecurity insurance aren’t being discussed in every board room, and in every investor report, and explored in great detail in every M&A undertaking, companies are playing a game of Russian Roulette that is without question going to come around and bite them in areas that will hurt.
GDPR — The Back Story
In 2012, in an effort to transform the European Union for the digital age, the EU outlined plans to reform data protection. In 2016, the plan was fully fleshed out, and an agreement reached on what this data protection reform plan would cover and how it would be enforced. The overarching vision for the plan was based on trust and providing standards for data protection in the EU such that people could trust that they control their personal information. The General Data Protection Regulation (GDPR) is perhaps the cornerstone of that plan, revolving around privacy, consent, and personal data privacy.
How GDPR Impacts Companies
Under the terms of GDPR, organizations are required to manage the process of personal data collection in entirely different ways than they did in the past. Personal data must be gathered legally and under some fairly strict conditions, but there’s more. GDPR also requires that any entity that gathers personal data must protect the individual rights of data owners, and safely manage that data and protect it from theft and misuse. Should they fail to do that, they face fines. GDPR applies to any organization operating within the EU, as well as any organizations outside the EU who offer goods or services to customers or businesses in the EU. Bottom line, GDPR impacts every single major company in the world.
Data Breaches and The Liability Factor — It’s Only the Beginning
The GDPR is a serious move on the part of the EU and for companies experiencing data breaches, significant legal liability can be expected. That has been made very clear with this first batch of fines.
I believe these GDPR fines assessed against British Airways and Marriott are really just the beginning of what’s to come and are intended to show the world that the EU is serious about data privacy and affording individuals who entrust companies with their data as much protection as possible. The Financial Times reported that ICO stated that they are currently looking at an additional 12 significant cases.
Security Needs to be Top-of-Mind for Boards and Investors
That’s where investors and board members come in—security and awareness around data privacy and data protection, for both the company and for its customers, has got to be squarely at the center of any and all strategic business conversations and part of all due diligence as it relates to M&A activity.
Don’t be complacent and think that if your company isn’t a global one that GDPR doesn’t apply to you—the importance of privacy, data protection, and security awareness remains critically important, whether the company is a global one or otherwise.
Case in point, California recently passed into law The California Consumer Privacy Act, also known as AB 375, which will go into effect January 1, 2020. This bill has been described as “almost GDPR in the US” and is the strongest privacy legislation enacted in the U.S. to date. It is inevitable that other states will follow suit with similar privacy-focused legislation.
What Companies Need to Think About Re Data Security
When it comes to what companies need to think about regarding data security, it’s really fairly simple. According to Simon McDougal, part of the ICO management board, one factor that’s taken into consideration with regard to fines is how much attention companies pay to their cybersecurity.
Also important is the seriousness of a data breach, which includes the number of people affected, what types of data is involved, the steps the company takes to mitigate harm to those affected by the breach, and how companies cooperate with the ICO once a breach has occurred.
While these things relate specifically to the EU and GDPR fines assessed by the ICO, I believe they relate to all businesses in every sector. We have many stories of breaches that occur in the U.S. that weren’t reported for months after discovery, leaving customers and their personal data at risk.
The United States and Data Breach Regulations
In the U.S., states individually control many factors relating to data breaches, including notification requirements. Some are strict, some not so much. While most states require immediate notification “without unreasonable delay” that “unreasonable” term is often loosely interpreted. Some states require notification of a breach within 45 days of discovery, others grant up to 90 days. Below is an image that shows data breach laws in states, territories, and the U.S. capital.
Image credit: Digital Guardian
Cybersecurity Insurance, Security Awareness Training are Key
Employees are the often overlooked as the first line of defense when it comes to protection against data breaches. According to the 2019 Data Breach Investigations Report from Verizon, phishing, use of stolen credentials, loss of devices, spyware/keyloggers, data mishandling, privilege abuse, misconfigurations, backdoors, or C2 all figure prominently in incidents of breaches.
While you can protect against the financial implications of a data breach to a certain extent by way of cybersecurity insurance, there are other intangibles—like brand trust and credibility in consumers’ eyes—that insurance can’t protect against. Additionally, ongoing security awareness training is also business mission critical.
The news of the GDPR fines levied against British Airways and Marriott has gotten the attention of CIOs, with a reported surge in companies interested in cybersecurity offerings.
To my way of thinking, this is good news. Not necessarily for British Airways or Marriott, but for businesses the world over who are finally sitting up and taking notice of the importance of cybersecurity, data privacy laws and how they are evolving, the importance of security as part of due diligence as part of an M&A exploration, and the role that ongoing security assessments, security training for staffers, and building a security-first culture play in affording protection against data breaches.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.
Check out some of my other articles:
Related content from the Futurum team:
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”