The European Union last week imposed fines on two major travel companies under its privacy and data protection law, which went into effect a year ago.
Marriott International, the largest hotel company in the world, and British Airways were both ordered to pay millions of dollars in fines under the EU’s General Data Protection Regulation, or GDPR.
Under the GDPR, all companies processing personal data of EU citizens will be subject to the law regardless of the company’s location. They are required to take appropriate measures to protect that personal data.
Bethesda, Md.-based Marriott was ordered to pay $123 million after about 383 million guests had their records compromised in a data breach. The company revealed the breach last November, saying that a third party had gotten unauthorized access to a Starwood reservations database. Marriott purchased Starwood in 2016.
British Airways was fined $229 million for an incident that compromised the data of 500,000 customers last year.
Both companies could have faced higher fines as the regulation allows for 4 percent of a company’s annual global turnover to be levied as a punishment. Both plan to appeal the decisions.
Still, the rulings have sent a message to all companies dealing with European citizens.
“The EU wants to show it means business about protecting consumer privacy and people’s information,” said Joseph Steinberg, a cybersecurity and emerging technologies advisor. “The purpose of having GDPR it is to have bite and if it doesn’t have bite, there’s no point.”
Experts say other companies, especially those in the travel industry that handle so much personal information from their customers, have to tread carefully.
“Companies had a lot of time to prepare for it and most didn’t do a good job,” Steinberg said. “If you’re not up to par, it would be a good time to get moving on it … If you’re operating in Europe or you’ve got assets in Europe, you have to be very, very careful right now.”
Marriott was in a particularly vulnerable spot because the data breach, the company said, involved customers who had made reservations at a Starwood property before the two entities’ reservations systems merged. Still, Marriott would have done it due diligence before acquiring the company by checking its security protocols, experts said.
“All companies that deal with personal information — which is every travel company except possibly local buses that just take cash — have to worry about this,” said Bruce Schneier, a security technologist who has written more than a dozen books on the topic. “And like every other company on the planet, travel companies are not immune from acquiring companies that have worse security practices than they do.”
Stu Sjouwerman, founder and CEO of KnowBe4 Inc., which hosts security awareness training, said that the language of the GDPR is unclear.
Elizabeth Denham, commissioner of the U.K. Information Commissioner’s Office (ICO), which levied the fines, said in announcing the fines that “when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
“What’s worth noting is the word ‘appropriate,” Sjouwerman said. “There is no clear definition of what is or isn’t appropriate in GDPR …. So the onus is on companies to demonstrate that they do take security seriously and have implemented good controls and measures to protect personal data.”
Bottom line: Companies better beware.
Adam Levin, founder of CyberScout and author of “Swiped: How to Protect You Yourself in a World Full of Scammers, Phishers, and Identity Thieves,” said the EU is not alone. Many other countries have similar laws, and he doesn’t see anyone going easy on companies in what he calls a cyberwar.
“You’re talking about a pandemic,” he said. “This is an international issue.
Countries such as Australia, Brazil, Thailand and the Philippines also have privacy acts. In the United states, the California Consumer Privacy Act was signed into law last summer. It gives consumers the right to know which companies are gathering and sharing their data and to opt out of it.
“We are going to see more of this. We’re not only going to see it by the GDPR. We’re also going to see this by way of other counties that have put in the equivalent of GDPR,” Levin said. “This is spreading.”