Wednesday’s announcement by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens -AP) of its decision to fine Booking.com €475,000 highlights the importance of observing the GDPR’s strict breach notification rules.
The AP’s investigation related to a personal data breach dating back to December 2018. Hackers gained access to the Booking.com login details of employees at 40 hotels in the United Arab Emirates. The cyber criminals were able to pose as hotel employees and collect personal data (including payment card and security code details) belonging to over 4,000 hotel customers via the Booking.com platform.
Booking.com became aware of the breach on 13 January 2019 but only notified the AP on 7 February 2019. The company is regulated by the AP because its headquarters are in the Netherlands.
The EU General Data Protection Regulation (GDPR), retained in Britain post-Brexit under the UK GDPR, requires organisations to report a data breach to its national supervisory authority within 72 hours of becoming aware of the breach.
The AP’s Vice-President, Monique Verdier, called Booking.com’s failure to report the incident until 22 days after the three-day deadline had expired, “a serious violation”.
She added; “A data breach can unfortunately happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.”
Issuing the fine, the regulator emphasised that large companies processing personal data of millions of customers have a great responsibility, not only to protect that data and prevent a leak, but also to take quick action should things go wrong.
In a statement, Booking.com sought to clarify the position: “…the Dutch DPA fine relates specifically to late notification to them of this incident and is not connected to Booking.com’s security practices, nor to the overall handling of the incident in question.
“In fact, the DPA report acknowledges Booking.com’s transparent and open handling of this incident, including how we subsequently supported affected customers and partners, which has led them to actually reduce the standard amount of the fine by €50,000.”
Whilst it can be challenging for businesses to meet the 72-hour breach notification deadline, especially where the incident is large, this case demonstrates how seriously regulators take this obligation.
It can be tempting to want to gather all the information together before notifying the authorities, but experience suggests that supervisory authorities will take a more lenient approach with organisations who report early, even if they are still investigating the breach.