For many months, infosec and privacy colleagues alike have been telling me that the FUD (fear, uncertainty and doubt) about the terrifying levels of EU fines under the European Union General Data Privacy Regulation (GDPR) have disappeared from the boardrooms and executive management meetings.
In many organizations, the sentiment from senior management was that GDPR was another Y2K; it looked terrifying on paper but – meh – it probably did not matter that much after all.
As the statistics from the first 12 months of GDPR rolled-in, these managerial beliefs that the regulation was all hype and no action were reinforced.
- 206,326 cases (complaints and breach notifications) reported to the European regulators
- 52 percent of cases closed with minimal action
- Only 11 out of 31 countries had so far issued fines
- The total amount of GDPR fines at that time: €55,955,871
- … and €50m of that was to Google
There was a near-universal sigh of managerial relief and, in many organizations, privacy and data security efforts slid down the agenda … until this Monday.
On Monday, the ICO (the UK lead supervisory authority for regulating GDPR) issued its intention to fine British Airways £183.391m (around US$230m) for losing around 500,000 customers details in a card-skimming scam from an attack that commenced in June 2018.
That was then followed on Tuesday by an announcement from the same regulator of its intention to fine Marriott International £99.2m (around US$124m) for losing around 30 million EU customer details in the breach they failed to discover until 2018.
By Wednesday, any sensible organization has moved effective privacy and security right back up at the top of its risk radar. One key reason security should be there: Both of these events were effectively about the failure to adequately protect personal data against cyber-attack.
As one of the people impacted in one of those breaches – and as an infosec professional who has to constantly battle for resources – my opinion is that this just might be a second watershed moment for our sector.
The first watershed was after WannaCry and NotPetya hit, and the majority of organizations began to realize that they needed to actually take cybersecurity more seriously.
This could be the second watershed if the intention to impose substantial fines is followed through.
Let me explain this point a little further.
It is an unpalatable truth that most sensible commercial decisions are made on the basis of risk. If you have a small chance of a small fine for the mismanagement of privacy information, then most organizations will aim to manage that risk on a shoestring. They want to be seen as doing the right thing – but why spend tens of millions of any currency fixing something that probably will never cost you more than a small percentage of that budget? That was the perception of GDPR until Monday.
After the intention to impose substantial GDPR fines was announced early this week, that perception has changed. Any organization that was considering putting GDPR or cybersecurity on a modest budget is re-evaluating that choice.
Whether this is a tipping point for setting in motion better investment in cybersecurity and data privacy still relies on a few things – and the first of those will be whether the intention to impose substantial penalties materializes into reality.
Will the fines really be applied? Will they be paid? Will more mega-fines follow?
The answers to each of these questions could have just as much impact on the privacy and security sector as WannaCry and NotPetya did.