A year after the groundbreaking General Data Protection Regulation (GDPR) came into effect, the corporate world is waking up to its consequences.
In recent news, the Information Commissioner’s Office (ICO) is proposing to fine the international hotel group Marriott $125 million for a massive data breach involving 339 million of its guests.
Under the provisions of the GDPR, the affected entity could respond to the proposed fine before the ICO makes its final decision. Since the breach affected several European Union countries, other data protection authorities could also weigh in with their opinions. I talked about how victims could handle the aftermath of a breach in a previous article.
This follows closely on the ICO’s intention to fine British Airways $230 million for a cyber incident in September 2018. Prior to these big ticket items, over 200,000 cases were investigated, leading to fines totaling €56 million – the largest of these €50 million dished out to Google by French agency CNIL.
It seems clear that the European Data Protection authorities are just warming up.
Cost of data breaches
As of March 2019, it was reported that the breach had cost Marriott $28 million, of which close to $25 million was covered by the company’s insurance policy. Marriott CEO Arne Sorneson said the breach hadn’t impacted revenue or customer loyalty. However, these are early days yet; the hidden costs of the breach will be known in a couple of years – after the fines are paid, revised insurance premiums determined, and class action and lawsuits are settled.
The Ponemon Institute report – 2018 Cost of a Data Breach Study – reveals that the average cost of a data breach is $3.86 million. This includes hidden costs such as lost business, negative impact on reputation, and time and money spent on recovery efforts.
The way forward
There is an increasing global trend towards strengthening privacy regulations and breach notification laws. Consumers are becoming more aware of their privacy rights, with some countries moving towards including data privacy as a fundamental right.
Capgemini research shows that consumers are willing to engage more with organizations that are GDPR compliant, while a more recent study from Cisco reveals that businesses that treated privacy as more than just a compliance initiative benefited from shorter sales cycle times, lower likelihood of data breaches, and reduced system downtime and data losses. The Cisco study also revealed that 42% of respondents believe that investment in privacy enables agility and innovation. This leads to the view that mature organizations regard effective privacy management as a strategic enabler that can deliver competitive advantage.
Geetha Jayaraman helps organizations leverage their use of technology by managing risks to achieve organizational objectives. She uses her experience to facilitate digital transformation of organizations through the adoption of the right technology solutions. As an expert in cyber security, she has guided many organizations in balancing risk with the adoption of technologies. Prior to her current role in Information Risk Assurance at Capgemini, she worked with several large technology service providers to bridge business objectives with ICT solutions.