Fines May Be the Least of Your Worries – Respond Quickly, or Else

Nowadays, data breach notification has become a part of data protection regulations that impact organisations and how they handle data breaches. In 2021, Singapore’s Personal Data Protection Act (PDPA) included the mandatory reporting of breach notifications within 72 hours.

In most cases, there are severe consequences to non-compliance with the regulations. Aside from exorbitant fines, there’s also the possibility of reputational damage and loss. It is also crucial that organisations have a robust breach response plan as well as clear instructions on the plan will be carried out.

Case Study: Twitter

Ireland’s Data Protection Commission (DPC) fined Twitter €450,000 ($547,000) for its failure to report an issue where the protected tweets of some Android users became unprotected within the legally required timeframe based on Europe’s Data Protection Regulation (GDPR).

The DPC gave its final decision after an investigation that started in January of 2019. When Twitter experienced a data breach in 2018 (during the holiday season), the DPC was notified. However, the company did not give a-72 hour notice as required by the regulation. 

Twitter breached Article 33(1) and 33 (5) of the GDPR because it failed to notify the DPC within the timeframe required and was not able to sufficiently document the data breach that transpired.

Case Study: Booking.com

Just like Twitter’s case, Booking.com was also fined €475,000 ($560,000) after their failure to report a data breach within the specified timeframe mandated by the GDPR. In 2018, 40 employees from different hotels in the United Arab Emirates (UAE) became the target of telephone scammers.

It was later discovered that hackers were about to obtain Booking.com’s login credentials and were able to access the personal information of more than 4,100 clients who booked a hotel room in the United Arab Emirates using the Booking.com website. As if not enough, the credit card information of 283 customers was also exposed.

In at least 97 of the cases, the CVV code was compromised as well. Using telephone and email, the hackers also tried to secure the credit card information of customers. They did this by impersonating a Booking.com employee. 

Based in the Netherlands, Booking.com was first notified of the breach last January 13, 2019. However, it was only able to report the incident to the Dutch Data Protection Authority (AP) on February 07. Since they failed to report the breach within 72 hours, they also failed to comply with the GDPR.

The two case studies clearly illustrate that merely reporting a data breach to authorities won’t suffice. When organisations fail to adhere to the mandated timelines set by the data protection regulations, they can pay hefty fines and penalties. Also, knowing how your organisation reacts to a data breach is crucial so you can expedite your response.

If you want to learn more about data protection tools and courses and certifications such as practitioner certificate in data protection, you can check with DPEX to gain a better insight and understanding. It is also recommended that you learn the practical applications for Data Protection Impact Assessment and Data Protection by Design.

Danny White