GDPR fines and the impact on enterprise cybersecurity
July 12, 2019
The day has finally come. Many people across the globe have been counting down to the first large fine as a result of the General Data Protection Rule (GDPR) noncompliance. The Information Commissioner’s Office (ICO) is making an example of British Airways and Marriott International.
GDPR requires that an organisation conducting business in Europe must collect, process, and store personally identifiable information (PII) in a safe way. If a compromise occurs, the question that will be asked by regulators is: did that organisation take due care in protecting PII?
This question should be asked not just by regulators, but also by consumers. After all, it is our legal right to privacy of information and erasure. It is illegal to misuse or fail to secure such data.
British Airways has been struck with a proposed fine of £183m ($230m) (here’s the statement from the ICO on BA). Not a day later, Marriott has been handed a proposed fine of £99m ($124m) (here’s the ICO statement ICO statement about Marriott).
When GDPR came into force in May 2018, many businesses made small movements towards compliance and just about scraped by.
The threat from the ICO was a maximum of 4% of annual revenue. So in those terms, the proposed fine to British Airways and Marriott seem relatively lenient. The £183m figure is roughly 1.5% of BA’s £11.6b revenue and 10% of profit. Equally, £99m is less than 0.6% of Marriott’s £16.65b revenue and 5% of profit.
There will be further costs involved beyond the fine itself, however. The security and data protection of these companies will come under more scrutiny. Audits both internal and external will be required. New technologies and solutions will be necessary. Marketing and PR campaigns will be required to help negate some of the inevitable reputational damage. Not to mention the compensation of customers may also be required. Plenty of these are likely already underway given that the breaches themselves were found some months ago.
Regarding the above question, British Airways and Marriott will try to demonstrate due care was taken in protecting their customer’s PII within the ICO appeals process.
Nevertheless, these are by far and away the largest ever publicly known fines associated with data compromise. The previous record was set by the £500,000 fine handed to Facebook following the Cambridge Analytica scandal in early 2018, before GDPR came into effect. We must keep in mind, though, that the proposed fines from the ICO are not for incurring a data breach, but for GDPR noncompliance.
In June 2018, hackers diverted information from British Airways’ website to a fraudulent site. According to the ICO’s statement, they harvested PII from half a million customers, including credit card data, login, name, address, travel booking information. Various experts, including Prof Alan Woodward from the University of Surrey, suggest that details were taken at the point of entry via a malicious script on the website. Blame has been pinned to the sophisticated card skimming hacker group Magecart, who you may remember from the Ticketmaster attack.
The ICO found that British Airways ‘was compromised by poor security arrangements’. Although, the statement allows that the company ‘has made improvements to its security arrangements since the events came to light’.
The events around Marriott’s data breach are somewhat different. The Starwood hotels group were compromised in 2014, then were subsequently acquired by Marriott in 2016. This all occurred before GDPR came into effect. However, in November 2018, Marriott discovered and announced a colossal hack that affected 339 million customers, 30 million of these were based in Europe, while 7 million were in the UK. The PII stolen was some combination of name, date of birth, gender, address, phone number, email, passport number, account information, and booking information. Encrypted card information was taken, but the encryption key may also have been stolen. Although the compromise itself predated GDPR, under the stipulations of the regulation, Marriott are culpable because the evidence of non-compliance and ‘exposure of customer information was not discovered until 2018, after GDPR came into effect.
The Marriott/Starwood compromise demonstrates the importance of cybersecurity when it comes to mergers and acquisitions. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems. The Information Commissioner Elizabeth Denham highlighted this in the ICO’s statement: ‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’
What are the implications?
The tribulations of these two companies can be seen as a warning that the ICO, and other regulators enforcing GDPR, are willing to show some bite in order to get companies to take the standards seriously. Perhaps we can see these proposed fines a matter to test case on how the ICO will equip themselves for future forays into enforcement. The reaches of these actions, though, will stretch well beyond Europe. Under GDPR, any company that maintains PII on an EU citizen must also adhere to GDPR standards.
Boards and CEOs in enterprise companies across the world will look at these events and ask their CIO or CISO: ‘Can this happen to us?’
Teams try to answer this question with manual processes involving spreadsheets and gut feelings, which is painful, untimely, and inaccurate.
The answer is not necessarily to buy more tools, it’s to invest in the right tools, and make sure they are working effectively. In a recent study on visibility in cybersecurity, Panaseer found that companies are using 50+ security tools, but that security teams have no real way of knowing whether the tools they have invested in are fully deployed. A large number of tools can lead to false confidence in coverage.
However, they can look at those £183m and £99m figures and see there is now a business case to make sure that ‘security arrangements’, (that is to say security controls) are running as they should be. In order to do this, and to effectively demonstrate due care, enterprise companies need to continuously run automated, real-time assurance on their security controls. It is rare for companies to run a Continuous Controls Monitoring (CCM) platform, or similar, when it should become standard practice to consider them as part of a mature security program.
In an interview, Information Commissioner Elizabeth Denham said that the most frustrating thing is ‘so many of our investigations are finding basic or a lack of cybersecurity hygiene’. CCM is a key step in improving cyber hygiene enterprise-wide by getting the basics right.
Returning to the question of due care: can a breached company claim that they had taken due care if their basic controls are not in place on a compromised device? Especially if a failure in these controls was a factor in that breach?
When the regulators come knocking, it will be hard to substantiate your ability to protect PII if it turns out your endpoint detection and response tool was only running on 80% of endpoints, or if your configuration management database was missing 20% of devices.
Continuously validated controls assurance is an effective process and mechanism to meet these regulatory thresholds. It may even have helped to prevent the breach by identifying key control gaps that require patching or prevented the large fine by demonstrating that due care was taken. Indeed, in the case of Marriott’s acquisition of Starwood, if both were running such tools, the cybersecurity merger process would have been far smoother. Currently, companies must rely on third-party ‘outside-in’ tools or techniques, such as cyber audit and questionnaires, which suffer from inaccuracies (just ask Yahoo, wherein reputational damage following their enormous data breach that came to light in 2016 enabled Verizon to shave $350 million off the takeover price).
Of course, there’s no single answer, but continuous real-time control assurance would be a good start.
Hopefully, more companies will take up automated solutions that provide real-time assurance of controls and ‘security arrangements’. Companies should take note of the British Airways and Marriott debacles and recognise that GDPR forces companies to invest in their customers’ right to privacy or face heavy financial consequences, whether that comes in the form of a fine, shareholder revolt, operational obstruction, or reputational damage.