Workload and Application Security Blog

Prediction Series #8: GDPR Breach Disclosure Mandate Is Now Global & Must Be Timely

Written by Virsec Systems | Mar 26, 2019 5:50:11 AM

Companies will be forced to be upfront and timely or face even steeper fines

Coming up on the first anniversary, many companies still working on compliance

On May 25, 2018, the much-anticipated GDPR went into affect, requiring that firms get specific permission from customers and prospects to use their information. Businesses had 2 years to ready themselves but the numbers of how many were actually prepared in advance were not impressive. Just 20% of companies were fully prepared and compliant. Roughly 53% were still implementing regulations shortly after May 25 and the rest opted to take their chances with a “wait and see” approach.

Since May, the scramble to comply has relaxed but the penalties for those who are not compliant but experience a data breach will face penalties that are anything but relaxed. Violators will face heftier fines than ever before. And now that significant breaches have occurred, initial fines are being levied.

British Airways awaits their fine for a data breach spanning a couple weeks in late summer. Facebook has recently been fined £500,000, the largest fine possible the Information Commissioner’s Office (ICO) could impose pre-GDPR for its first breach occurring from 2007-2014. Had that breach happened before this year, the fine would have been substantially larger.

Marriott breach falls under GDPR rules

The Marriott breach last year also falls under GDPR’s penalty and will be worse because they failed to disclose the breach for a couple of months. Penalties can be up to 4% gross global annual revenue from the prior year, likely more if the breach isn’t revealed within 72 hours. Other new privacy regulations, such as California’s new privacy law going into effect, can also impose fines for every citizen impacted, heaping on even larger fines than – and in addition to - the GDPR. (See our blog, Marriott reports massive data breach of 500 million of its Starwood guest records, https://virsec.com/marriott-reports-massive-data-breach-of-500-million-of-its-starwood-guest-records/ )

Facebook facing multiple violations, investigations

Again, Facebook is facing multiple violations for breaches, some that occurred prior to the GDPR and others that do fall under GDPR rules. Because Facebook breaches have been fully their fault and often not disclosed in a timely manner, the fines they face will undoubtedly be larger.

(See our blogs on Facebook compromises:

1) Facebook compromises users’ privacy yet again

2) ICO issues maximum £500,000 fine to Facebook for failing to protect users’ personal information

3) Facebook breach could have impacted third-party apps; Is huge GDPR fine on the horizon?

4) Facebook is under the spotlight yet again for another huge data breach—this time affecting many other apps and sites you’ve logged into

Along with Facebook, four other tech giants – Apple, LinkedIn, Google and Twitter – face investigations for possible violations of European laws. In Google’s case, the huge question of whether online advertising violates user privacy is at stake. (See our security news article, Five Tech Giants – Facebook, Twitter, Apple, LinkedIn, Google – Face Investigations for Possibly Violating European Privacy Laws.)

After a few rounds of these large companies being hit with staggering financial consequences – to say nothing of the repeated hits to their reputations –it will sink in that these regulations have big teeth. Europe is determined to protect its users’ privacy and that impacts US companies in multiple and significant ways.

Better to invest in security than pay steep penalties

Companies have a choice to improve their security posture, take out breach insurance, or set aside 4% (or more) of their global revenue for future fines. We predict (and hope) that before long, companies will begin to see it’s a much wiser choice to invest their resources in improving their security and protecting themselves rather than paying the steep price of getting caught in investigations or exorbitant breach fines.