Data is breached every single day but most of these breaches don’t make headlines. When the European Union’s General Data Protection Regulation (GDPR) came into effect May 25, 2018, many companies who experience a significant data breach won’t just be dealing with a public relations snafu and financial strain brought on by the breach, but will also face large fines mandated by the regulation. To get a sense for what the GDPR means for companies, we will review a few of the world’s largest data breaches and the implications if GDPR penalties would have been in place at the time of the breach.
The European Parliament approved the GDPR in 2016 with the intent of consolidating data privacy laws across Europe and to protect EU citizens’ privacy in an increasingly data-driven world. The GDPR covers ALL companies who process the personal data of those in the EU regardless of where the company is located. In addition, penalties for a breach are serious for both data controllers and processors. Companies must use clear language to obtain authorization from an individual to use their data. No smoke and mirrors or confusing legalese is allowed. Companies must also notify individuals that their data was potentially compromised within 72 hours of realising a data breach occurred; data processors are also required to notify their customers “without undue delay.” Additional requirements make it easier for individuals to learn how their data is going to be used and processed, request data erasure and receive the personal data that organisations collect.
And then there are the substantial fines and penalties mandated by GDPR for non-compliance with the regulation. There are two tiers of fines: Up to 10 million pounds or 2% of annual global turnover (revenue) of the previous year, whichever is higher and up to 20 million pounds or 4% of annual global turnover, whichever is greater. It is expected that breaches of data subjects’ rights will result in the higher level fine, although many factors will help determine the actual fine including the duration and gravity of the infringement and the types of personal data affected. The level of cooperation and behaviour of the organisation will also play a role in influencing the final fines.
Data Breaches and the Impact of GDPR
Let’s take a look at some of the largest data breaches that have occurred and use them to illustrate how GDPR would have impacted the companies if it had been in effect at the time of the breach.
At the time that 3 billion user accounts had been breached at Yahoo in 2013-2014, it represented the largest data breach in history. Not only was the scope significant, the company didn’t disclose the breadth of the breach within 72 hours like the GDPR requires; in fact, it took them until October 2017 to fully acknowledge the extent of multiple breaches that occurred in 2013-2014. With revenue in excess of $4 billion for 2012, Yahoo would have faced millions of dollars in fines if GDPR would have been in place—$80 million but potentially as much as $160 million depending on the variable factors of GDPR including the culpability of the company and how cooperative they were.
Even though the time between eBay discovering its data breach that impacted 145 million eBay users in 2014 and notification to consumers was relatively short—the breach was discovered in early May, but the company notified its users later in the month—it still wasn’t within the 72-hour requirement of GDPR. Although names, addresses, date of birth and passwords were compromised, the financial information remained secure. At the time, the company was criticised for the lack of communication and trouble with its password-renewal process, but ultimately, since the financial info wasn’t compromised, it could mean the fines would have been lower. It’s turnover for 2013 was $6.6 billion, so they wouldn’t have qualified for the lower 10 or 20 million pounds fine.
As one of the largest cyberattacks of 2017 (that we know of so far), the personal information of 143 million consumers was compromised and an additional 209,000 also had their credit card data exposed when a breach was discovered in July. The company failed to meet the 72-hour notification requirement of the GDPR when they made the breach public in September. They did launch a website so consumers could cheque if their data had been compromised and offered credit monitoring for all U.S. Consumers, so they may have received high marks for their cooperation and action post breach; however, they would still qualify for the higher-level fine due to reporting $3.1 billion in revenue for 2016.
As these examples illustrate, companies will face grave consequences and fines when data breaches occur when GDPR goes into effect. The regulations are strict and all companies doing business in or with citizens of the EU need to be sure they have processes in place to meet the GDPR requirements now.