Criminals successfully access the personal data of several thousand of your customers. You later inform the data protection regulator of the personal data breach, and they fine your organisation for . . . reporting the breach?! Sounds impossible? It isn’t, if the fine is for your organisation taking too long to notify them.
The Booking.com personal data breach
Booking.com is a Dutch online agency for booking accommodation and travel. In December 2017, criminals persuaded employees at 40 hotels in the United Arab Emirates to reveal the log in credentials for their accounts in a Booking.com system, over the telephone.
Consequently, the criminals were able to gain access to the names, addresses, booking details and telephone numbers of 4,109 customers who had booked a hotel room in the UAE. The compromised data also included the wider credit card information of 283 people and, in 97 instances, the credit card security (CVV) code as well.
Booking.com was informed of the potential that a data breach had occured on 13 January 2019, and they began an investigation. However, they did not report it to the Dutch Data Protection Authority (DPA) until 7 February 2019, when they were satisfied that a data breach had occured.
Article 33 of the GDPR prescribes that a data controller: “ . . . shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority . . . unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
On 6 April 2021, the DPA announced that it had imposed a €475,000 fine on Booking.com for reporting the personal data breach to them 22 days too late.
DPA deputy chair Monique Verdier remarked: “Unfortunately, a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time.”
The importance of personal data breach management
In light of this, it is important that organisations incorporate a risk assessment mechanism within their documented personal data breach procedure. This will help them to determine how to appropriately handle “suspected” breaches, including whether or not it is necessary to notify the relevant data protection regulator as a precautionary measure. The risk assessment should consider:
- the number of data subjects affected;
- whether the data subjects affected have special characteristics, for example children and vulnerable adults;
- the volume of personal data;
- whether the data included special and / or financial categories of personal data;
- the impact upon the availability, confidentiality and / or integrity of personal data;
- the severity of the consequences for the data subjects; and
- whether malicious third parties are involved.
Trilateral’s Data Governance and Cyber-Risk Team has significant experience supporting organisations in implementing appropriate security measures in respect of personal data. We offer a range of data governance services that can help your organisation to develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. For more information please feel free to contact our advisers, who would be more than happy to help.