British Airways and global hotel chain Marriott have been hit with the news this week that they could face thumping fines for data breaches – potentially £183.4m for BA and £99m for Marriott.
Both are planned by the UK Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR).
BA’s potential penalty follows a data breach that compromised 500,000 customers. Marriott’s potential fine is the result of a data breach that lasted from 2014 to 2018, exposing close to 339 million guest records globally.
In a statement BA said it was “surprised and disappointed” by the news. Marriott said it would appeal.
GDPR Gets Serious
Both fines would be well in excess of the previous maximum of £500,000 – and that was only issued one time previously to Facebook for its role in the Cambridge Analytica scandal.
Under GDPR the ICO has the power to impose a maximum fine equal to 4% of annual revenues.
In BA’s case, it’s potential fine represents just 1.5% of turnover in 2017 while Marriott’s represents about 3% of the hotel company’s $3.6bn revenue from 2018.
Organisation’s should take the intended fines as a clear statement that compliance risk is serious where GDPR is concerned, and that failing to protect customer data is going to hurt.
In announcing the fines, ICO commissioner Elizabeth Denham said organisations need to understand that failing to protect data from loss, damage or theft will result in “more than an inconvenience.”
“When you are entrusted with personal data, you must look after it,” she cautioned. “Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Penalties are only the beginning
The unprecedented size of the intended penalties will shock everyone from the executive suite on down. It will also set off alarms in marketing and PR departments working hard to demonstrate that their brands can be trusted.
Studies have shown that customers will abandon brands after a major security incident. Companies are now being judged on how well they protect data.
Travel and retail are particularly vulnerable to lost sales when data is hacked, with up to a third of consumers saying they will take their business elsewhere post-breach. In addition, companies that have been hacked find the cost of acquiring new customers goes up.
A recent survey from PCI Pal on consumer trust shows that Brits take a particularly dim view of brands after a breach.
Reputation takes a bigger hit in the UK than in the US, where 41 percent of British consumers said they would steer clear of a brand forever following a hack (compared to just 21 percent of Americans).
The travel sector is seen as especially weak when it comes to safeguarding personal data.
62 percent of American consumers would stop spending with a company after a hack – but only for a few months. Only 44 percent of British consumers said they would do the same.
A third of UK consumers said they would spend less with brands they perceive to have poor data practices, and big companies are assumed to be less trustworthy on data protection than smaller ones.
55 percent of UK consumers felt a local shop would be a better custodian of their data than a large company – with a smaller business being a less likely target for hackers, and more likely to care about its reputation.
Ignore customer concerns about security at your peril
The BA and Marriott potential fines serve as a clear warning for any organisation that holds personal data. There is a growing trend in legislation and consumer awareness to better protect data security – and punish organisations when they don’t measure up.
The arrival of GDPR has handed a compliance hammer to regulators, and raised cyber awareness generally – with a tangible impact on how British consumers value their privacy, and their expectations of how diligently businesses need to protect it.
The truth is that data breaches aren’t going away any time soon, and a full picture of the costs they impose may not become apparent for months after an incident.
The long-term damage caused by a breach can be mitigated by how well a company reacts, but organisations need to continually assess their security posture – as well as the level of awareness inside the organisation of how sensitive the issue of privacy and data protection has become for consumers.
Getting this wrong, or letting the perception seep in that you’re a bit fast & loose where information security is concerned, is a recipe for lost revenues.
Want to learn more about empowering your employees security defences? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.