Simon on: Data Breach; Marriott and British Airways pay the price

In the last few days, the Information Commissioner’s Office (ICO) has announced its intention to fine British Airways £183m and Marriott nearly £100m for data breaches reported since GDPR came into effect in May 2018.

The fact that the ICO have started talking about these two large fines so closely together leads me to wonder if the ICO may be making an example of these two businesses and using these incidents to set a precedence and to shock companies into realising that data security is a serious matter. Although the BA fine was pretty huge, it only actually equates to around 1.5% of their turnover for 2017 and the ICO could have gone up to 4% of global turnover if they deemed it necessary.

It’s also worth remembering that the ICO has always preferred the carrot to the stick; they will only dish out huge fines if a company was negligent. BA was negligent, whilst Marriott was warned about the database they took on when they acquired the Starwood hotel chain, and the breach occurred for a four-year period.

The ICO aren’t the bad guys, if a company has truly done everything in their power to prevent a hack then it is likely that they will be accommodating. This ruling has demonstrated  that if an organisation is careless with personal data the ICO will come down like a ton of bricks with a fine that is reflective of the error, because it’s the only way to hit them where it hurts; their profits.

The world has changed and GDPR has been introduced to ensure organisations step up to that change. It is predicted that half of retail sales in the UK will be conducted over the internet by 2028; that’s a huge number of transactions and a huge amount of trust that consumers are placing in companies who process their data. GDPR has quite rightly given the ICO the power to force companies to do better. This is not an area that could be self regulated, GDPR was a necessary introduction and I’m glad that the ICO is now exerting its power.

These multi million pound fines could be just the tip of the iceberg for BA and Marriott. The impact these fines could have on their share prices could end up increasing the figures ten fold. GDPR also states that data subjects can sue a company for ‘material and non material damage’ if their personal data is lost. So we may see class action lawsuits created by lawyers representing the swathes of people affected by these breaches. Will data breaches become the new PPI?

I hope that these fines will be the wake up call that the ICO intends them to be; to make board rooms all over the country sit up and realise that data protection is a serious matter, to ensure that they repeatedly ask their IT teams “can we do anything else to protect the personal data we hold” and then put sufficient talent and budgets in place to ensure changes are implemented.

So go now and ask your IT team if they are doing everything possible to prevent a data breach, and if they aren’t, then listen to them and implement their recommendations. Losing four percent of your company’s turnover can make a big dent in your profits and an even bigger dent in your reputation.

If you still don’t understand GDPR, there are a lot of useful guides on the ICO website, and even a guide specifically written for the events industry on our website. Or come and find me at one of the industry shows – I’m always happy to help a small business who is taking data security seriously and just wants to get it right.

BLOGMARRIOTT

Simon on: A Matter of Trust

Last month one of our competitor’s platform and main website went offline for most of a week, leaving their customers high and dry. How do I know this? Because some of their customers – the ones who were organising imminent events – came to us in a panic to see how we could help them instead.

We don’t know what happened because the company is staying tight lipped, possibly because of the length of time it took them to recover. Problems can hit any business, and plenty of huge sites have fallen pray to hacks or outages in the past. So it’s not the outage that surprised me but the length of time that their systems were off line. As a supplier of a business critical service, they should be able to recover and get back on their feet again in a matter of minutes, not days.

If they were hacked (which is one possibility) then I believe it’s important for an organisation to ‘own’ the hack, to admit they had a problem and be honest and open about it. Of course, if this was a reportable data breach because personally identifiable information was lost or stolen then both the ICO and the Data Controllers would need to be informed. Failure to do so could result in a fine of up to €20m or four per cent of global revenue (whichever is higher).

This situation has led me to reflect on our own situation, we have multiple redundancies and plenty of backups which mean we can recover from a server problem quickly and easily. One of the main technologies we use for this is called containerisation. That may be something you’ve never heard of, but it enables us to build and deploy a brand new server with a very complicated setup in less than 10 minutes. Containerisation is a method where you build everything your website or web application requires including all of the services and configuration into a single ‘package’ that can be deployed quickly and easily.

Servers used to be like treasured pets, they were expensive to purchase and so they were looked after for as long as possible. If they went wrong, they were repaired. But now they are a simple commodity – if they go wrong you quickly get rid of it and get a new one. If a server shows any hint of going wrong, you can quickly and easily move all of your business onto a new one.

What would your company do if it were hacked? What would happen if your website went down a week or even a day before your event? How long would it take your IT team to get the business back up and running again – especially if it is the eve of your event and everyone is stressed to the nines? Don’t let people just tell you the answer – ask them to prove it by doing it now, and not when you have a problem because then it’s too late to put anything right.

So be prepared for the worst and if anything unfortunate does happen, please be honest and open about it. We all know that honesty is the best policy and your customers will thank you for it.