Expensive lessons from data protection violations

A GBP183.4 million (around EUR207 million) fine for British Airways; a GBP99 million (EUR112 million) fine for the Marriott hotel chain; a EUR50 million fine for web giant Google. Such staggering figures prove that non-compliance with requirements of the General Data Protection Regulation (GDPR), which entered into force a little over a year and a half ago (on 25 May 2018), is a huge risk and simply unaffordable for most companies.

“In the first year alone, European data protection authorities received almost 90,000 data breach notifications. Companies are usually fined over failure to comply with legal or technical requirements for IT security. Such trouble can be avoided by following a simple rule: expect the best, but prepare for the worst. In the case of GDPR, a company should first carry out a legal and technical audit of key risks; this is equally relevant to small firms and large corporations because, as the above examples show, no business is completely safe,” says Vytautas Vičius, Law Manager at Lewben, a provider of integrated professional services.

His view is backed up by Andžej Šuškevič, CEO of IT solutions provider Baltic Amadeus, who adds that violations of personal data security most often occur due to human error. This means it is advisable to pay a large amount of attention to employee training – not just on their first days of work, but also periodically to refresh their knowledge.

“The most frequent mistake is implementation of the GDPR requirements in only a declarative manner. Data encryption, regular penetration testing, inventory of kept data – all this is often neglected. Proper implementation of these procedures would ensure cyber security as well as reduce the magnitude of potential damage and fines,” says Šuškevič.

Lewben Group and Baltic Amadeus, which have signed a collaboration agreement, offer a joint business service that ensures a client’s compliance with the requirements of the EU’s General Data Protection Regulation.

Experts at both companies have named five well-known cases of GDPR breaches and explained what the violating firms did both wrong and right.

1. One might say Dixons Carphone got lucky that the first loss of data involving the company (in 2015) and the investigation that followed occurred just before the GDPR came into force. It became clear that its systems had been vulnerable for many years. Under previously applicable laws, the maximum fine applicable was GBP500,000 (EUR568,000). However, the same company became involved in another case of violation currently under investigation, for which the consequences could be much graver. Based on GDPR requirements, it has been estimated that the company may have to pay a fine of GBP400 million (EUR454 million).

“This case shows that it is crucial to periodically conduct audits of personal data compliance and security tests. A violation might remain unidentified for one or several years, but if it finally comes to light and the supervisory authorities find that the company has not taken any action to correct the situation, the business will face sanctions,” says Lewben’s Law Manager Vytautas Vičius.

2. British Airways received a record fine of GBP183.4 million after it was found that hackers managed to direct more than half a million visitors to the airline’s website to a fake web page, enabling them to acquire the users’ names, addresses, login details, payment card data, travel bookings and other personal information.

According to Andžej Šuškevič at Baltic Amadeus, attacks by hackers are a continual threat that can target anyone, from individuals and small businesses to large corporations. “One possible solution is to carry out regular professional audits of third-party cybersecurity. These can help to identify potential gaps and resolve any issues in a timely manner,” he says.

3. The Haga hospital in the Netherlands was fined EUR460,000 for inappropriate storage of patients’ data. During the investigation, it was found that the health data of one celebrity had been checked by 197 employees at the hospital. In addition, the hospital did not use two-factor authentication – a mandatory requirement for systems that store patient data.

The CEO at Baltic Amadeus notes that cybersecurity breaches often occur as a result of the human factor, gaps in security or inadvertent behaviour. However, the responsibility for preventing ill-intentioned people from exploiting such vulnerabilities falls to the company itself. “To reduce the likelihood of human error, the company needs to evaluate its internal system processes. Employees must be granted access only to data they need to carry out their direct functions. Overall, information security must become part of the organisation’s culture. It is often the case that employees, without any bad intentions and only due to their desire to work from home rather than in the office, take company data with them and thus endanger it,” says Šuškevič.

4. German social network Knuddels.de was fined EUR 20,000 after hackers stole the usernames and passwords of 1.8 million customers that were held in text format, completely unencrypted. There are two lessons here: firstly, such sensitive data as personal information and login details must be encrypted, reducing the risk of hackers being able to use them; and secondly, you should not try to hide it if your company has been hacked.

“The company reported the incident immediately after it found out about it, so the fine it received was relatively small. This example shows that cooperation with investigating authorities benefits the company too – something that is considered a mitigating factor when imposing a fine or other sanction,” says the Lewben representative.

5. The Marriott hotel chain was fined GBP99 million after it was found that hackers may have stolen the data of 500 million visitors who had registered at Starwood hotels. Marriott acquired this hotel chain in 2016 but, as became clear later, their systems had not been standardised.

“In any transaction, it is essential to take personal data protection issues fully into account. When acquiring a company, the legal audit must assess the risk of potential violations of personal data protection. Such an assessment must be carried out not only by formally checking whether all the necessary documentation is in place, but also by identifying whether such documentation reflects the actual situation,” says Lewben representative Vytautas Vičius.

The experts at Baltic Amadeus and Lewben note that full compliance with GDPR requires a large amount of time, and significant financial and human resources. It is therefore unsurprising that even today, more than a year after the regulation came into force, many businesses have still not taken all the necessary steps to comply with GDPR requirements.

Nevertheless, every company should consider at least the biggest legal and technical risks arising from non-compliance with data protection requirements, and try to manage them in the optimal way to avoid sanctions that could potentially endanger their business continuity.