ICO Fines Marriott International £18.4 Million for GDPR Violation

The Information Commissioner’s Office (ICO), the data protection authority in the United Kingdom, has imposed a £18.4 million ($23.8 million) financial penalty on Marriott International for violations of the EU’s General Data Protection Regulation (GDPR).

The ICO investigated Marriott over its massive data breach that affected 339 million customers, 30.1 million of whom reside in the EU including 7 million in the UK. The ICO investigators identified multiple security failures and determined Marriott had failed to implement appropriate technical and organizational measures to protect the personal data of EU citizens being processed on its systems, in violation of the GDPR.

The data breach in question affected Starwood Hotels and Resorts Worldwide, which Marriott acquired in 2016. In July 2014, hackers attacked Starwood and installed a web shell on one of its websites which allowed them to access a server and install a remote access Trojan, which gave the attackers persistent access. The attackers were able to explore the network and used Mimikatz tool to steal passwords, then installed malware that allowed them to steal payment card data and personal information. The attackers had full access to the initial compromised device and other devices on the network which the compromised account had access to. The breach was discovered four years later.

The types of data stolen by the attackers varied from individual to individual and may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty program membership numbers.

The financial penalty could have been considerably higher. Under the GDPR, companies found to have violated GDPR provisions can be fined up to €20 million (£18,077,500 / $23,582,460) or 4% of global annual turnover, whichever is greater. In 2019, the ICO announced its intention to fine Marriott £99.2 million ($128.2 million) for the data breach but after considering Marriott’s representations, the speed and thoroughness of its breach response, and the impact COVID-19 has had on the hotel group, the decision was taken to reduce the financial penalty.

The ICO notes that when the breach was discovered, Marriott acted quickly and reported the breach to the appropriate data protection authorities and promptly notified affected customers. Since the breach, Marriott has implemented a range of new measures to improve system security and rapidly detect breaches should they occur. Marriott has issued a statement confirming it will appeal the financial penalty.

The post ICO Fines Marriott International £18.4 Million for GDPR Violation appeared first on HIPAA Journal.

Google Slapped with $8 Million GDPR Penalty

Google has been slapped with a 75 million kroner ($7.8 million) GDPR fine by the Swedish Data Protection Authority (DPA) over the failure to comply with ‘right-to-be-forgotten’ requests from EU citizens to have webpages removed from its search engine listings.

The right to be forgotten in the EU predates GDPR. It was first introduced in EU legislation in 2014 following a ruling by the Court of Justice of the European in the case, Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González. The law requires search engines to remove links to freely accessible webpages that appear in search results generated from a search of an individual’s name, if that individual requests the listing is removed and if certain conditions are satisfied.

GDPR strengthened the right to be forgotten. If a request is received from an EU citizen who wishes to exercise the right to be forgotten, provided the request does not collide with the right of freedom of expression and information, “personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing.”

Google has received millions of requests from EU citizens to have content delisted and approximately 45% of those requests have been fulfilled.

The Swedish DPA conducted an audit of Google in 2017 to assess how Google was handling requests to delist webpages indexed by its search engine and Google was ordered to delist several webpages.

In 2018, the Swedish DPA followed up on the audit and discovered Google had not delisted all the search results detailed in the order. The GDPR fine relates to two of the listings Google was ordered to remove. In one case, Google’s interpretation of the web addresses that needed to be removed was determined to be too narrow. In the second case, Google failed to delist the search result listing without undue delay.

The Swedish DPA also found that when Google delists webpages notifications are sent to website owners alerting them about the removal of the content from its listings and information is provided about who made the request. These notifications ensure website owners are made aware of the delisting, but by doing so the website owners can simply republish the delisted content on a different URL.

The Swedish DPA said that this approach undermines the effectiveness of the right to be forgotten, stating “Google does not have a legal basis for informing site owners when search result listings are removed, and furthermore gives individuals misleading information by the statement in the request form.”

“We disagree with this decision on principle and plan to appeal,” said a spokesperson for Google in a statement about the financial penalty. Under EU law, the appeal must be launched within 3 weeks.

The post Google Slapped with $8 Million GDPR Penalty appeared first on HIPAA Journal.

German Telecoms Firm Slapped with $10.56 Million GDPR Penalty

A data protection authority in Germany has issued one of the largest ever GDPR penalties to the telecommunications and hosting firm 1&1 Telecommunications. The fine was issued for a failure to implement appropriate technical and administrative measures to authenticate individuals in its call centers.

1&1 Telecommunications, a subsidiary of United Internet Group, is one of the largest telecommunications and mobile service providers in Germany. The firm was investigated by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) after a report was received that the only information required to authenticate customers in its call centers was a name and data of birth – Information that can easily be found on social media sites. If a correct name and data of birth was provided, it was possible to obtain an extensive range of sensitive information on customers.

BfDI determined that 1&1 Telecommunications had failed to comply with Article 32 of the EU’s General Data Protection Regulation. Article 32 requires appropriate technical and administrative measures to be put in place to protect the processing of personal data. The inadequate authentication measures meant the confidentiality of customer data was put at risk. Since the failure had potential to place its entire customer base at risk, a financial penalty was deemed appropriate.

On December 9, BfDI announced that a penalty of €9.55 million ($10,556,000) had been issued. The financial penalty took into account the relatively small size of the company and the level of transparency and cooperation in the investigation. When contacted by BfDI and advised about the GDPR violation, 1&1 Telecommunications implemented an additional authentication measure and cooperated fully with the investigation. The company also continued to improve its authentication processes and will now require customers to provide a PIN before any data is disclosed.

1&1 Telecommunications believes the fine is disproportionate and that the fine was calculated based on wider company sales. The Telecommunications company will appeal the fine and is considering suing BfDI. While the financial penalty is significant, it is much lower than the maximum possible penalty for a GDPR violation, which is €20 million ($22,110,800) or 4% of global annual turnover, whichever is greater.

This is the second multi-million Euro GDPR penalty to be issued in Germany the past two months. In October, the Berlin Data Protection Authority, Berliner Beauftragte für Datenschutz und Informationsfreiheit, imposed a €14.5 million ($16.26 million) penalty on the German property company Deutsche Wohnen. The company was storing data on current and former tenants in a system that did not allow data to be deleted. Data was being retained long after the purpose for which the information had been collected had been satisfied.

BfDI also announced on December 9 that a €10,000 ($11,033) financial penalty was imposed on Rapidata GmbH for a violation of Article 37 of GDPR. The company had failed to appoint a data protection officer, despite repeated requests from BfDI.

The State Commissioner for Data Protection and Freedom of Information in Rhineland-Palatinate also issued a GDPR fine in December. A hospital in the state of Rhineland-Palatinate in Germany must pay €105,000 ($93,525) to resolve violations of several provisions of GDPR related to patient admissions, which could easily lead to patient mix-ups. The investigation uncovered multiple technical and organizational failures related to patient and privacy management.

The post German Telecoms Firm Slapped with $10.56 Million GDPR Penalty appeared first on HIPAA Journal.

Sweden Issues GDPR Fine to School for Unlawful Use of Facial Recognition Technology

The Swedish Data Protection Authority (DPA) has issued its first ever financial penalty for a violation of the EU’s General Data Protection Regulation (GDPR).

The 200,000 SEK fine (€19,000/$21,000) was issued to a high school in Skellefteå which conducted a pilot study that used facial recognition technology to monitor student attendance. Assisted by IT company Tieto, the school used CCTV cameras and facial recognition technology to monitor the attendance of 22 students at school. The trial ran for three weeks in late 2018.

The aim of the trial was to determine whether facial recognition technology could be used in place of standard roll calls in classes. Under Swedish law, schools are required to conduct a roll call at the start of each lesson, which places a considerable administrative burden on teachers and reduces the time spent teaching students.

According to Tieto, the school was losing 17,280 hours a year simply marking attendance. That equates to 10 full time jobs.

The pilot was conducted with the best intentions but the DPA determined the school violated several articles of GDPR. GDPR was introduced to protect the privacy of EU citizens and give them much greater control over the use of their personal data.

The DPA determined the school unlawfully processed the biometric data of its students and failed to conduct a proper impact assessment. Facial recognition data is treated as sensitive information and requires greater protection that other, less-sensitive data types. The school also failed to notify the DPA about the pilot.

The school maintained it had obtained consent from all students involved in the pilot, but the DPA determined the consent to be invalid as there was “a clear imbalance between the data subject [student] and the controller [municipality].”

The financial penalty could have been much more severe. The GDPR penalty structure permitted a maximum fine of €1 million ($1.1 million) for the violations.

The post Sweden Issues GDPR Fine to School for Unlawful Use of Facial Recognition Technology appeared first on HIPAA Journal.

Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine

The GDPR data protection authority in the Netherlands –  Authoriteit Persoonsgegevens – has issued its first GDPR data breach fine to Haga Hospital in the Hague. Haga Hospital has been fined $460,000 ($516,000) for security failures that contributed to a privacy breach in 2018.

The EU’s General Data Protection Regulation requires all entities that collect or process the personal data of EU citizens to implement appropriate security measures to ensure that information remains private and confidential. In the event of a data breach, the appropriate data protection authority must be notified within 72 hours and the breach will be investigated.

In this case, the breach involved a single patient’s records – a well-known Dutch person. Those records were viewed, without authorization, by several employees at the hospital. The Dutch News website named the patient as Samantha de Jong, also known as ‘Barbie’.

The GDPR investigation revealed the hospital had poor internal security controls for patient records, had failed to implement two-factor authentication, and was not regularly reviewing log files to identify unauthorized data access. The lack of appropriate security measures to protect personal data was in violation of GDPR requirements and a fine was deemed necessary. The hospital will now be monitored to make sure that security is improved. Further fines will be issued if security is not brought up to the standards demanded by GDPR.

The hospital has been given until October 2, 2019 to make the necessary improvements or a further fine will be issued at a rate of €100,000 every two weeks up to a maximum of €300,000. Haga Hospital has agreed to implement additional security measures to improve its security posture.

Last year, a similar fine was issued to Centro Hospitalar Barreiro Montijo in Portugal by the Portuguese data protection authority. The hospital had also failed to secure records and prevent unauthorized access from within the hospital. The Portuguese hospital was fined €400,000 for its security failures.

The post Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine appeared first on HIPAA Journal.

ICO Proposes $123 Million GDPR Fine for Marriott

Just a few days after the UK’s Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183 million ($230 million) for its 383 million-record breach comes another financial penalty for GDPR violations.

ICO has announced its intention to fine Marriott £99 million ($123 million) for its breach of around 339 million customer records, which was discovered in 2018.

The ICO is the UK’s GDPR supervisory authority. When a data breach is experienced that results in the exposure of EU citizen’s data, the breach must be reported to ICO within 72 hours of discovery. ICO investigates data breaches to determine whether GDPR rules were violated. ICO also investigates complaints about GDPR violations from consumers.

After receiving Marriott’s breach report in September 2018, ICO launched an investigation. It is not reasonable to expect companies to be able to prevent all data breaches but, under GDPR, reasonable and appropriate security measures should be implemented to reduce the risk of a breach to a low and acceptable level.

In Marriott’s case, the breach occurred at Starwood Hotels & Resorts Worldwide in 2014 when hackers gained access to a guest reservation database. Marriott purchased the hotel chain in September 2016 but failed to discover the compromised database until September 8, 2018.

ICO determined Marriott had failed to conduct sufficient due diligence on Starwood Hotels when it was negotiating its acquisition, and Marriott should have done more to secure its systems and protect the personal information of its customers.

“The GDPR makes it clear that organizations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Marriott cooperated fully with the ICO investigation and has already overhauled its security program and has improved its security posture. Marriott has 28 days to appeal the proposed £99,200,396 fine before ICO makes its final determination. “We are disappointed with this notice of intent from the ICO, which we will contest,” said Arne Sorenson, president and CEO of Marriott.

The post ICO Proposes $123 Million GDPR Fine for Marriott appeared first on HIPAA Journal.

British Airways Faces £183 Million GDPR Fine for 2018 Data Breach

The UK Information Commissioners Office (ICO), the GDPR supervisory authority, has issued the largest GDPR penalty to date to British Airways. British Airways can appeal, but as it stands the ICO will fine the airline £183.39 million ($228 million) for security failures that led to a 2018 cyberattack on its website.

The fine surpasses the previous record of £500,000 ($623,000) issued to Facebook over the Cambridge Analytica scandal. For British Airways however, its breach occurred after May 25, 2018 – The effective date of the EU’s General Data Protection Regulation.

GDPR updated a previous EU directive and in addition to introducing a slew of new privacy and security regulations, the penalties for privacy and data security failures were substantially increased. The maximum penalty for a serious GDPR violation is now €20 million ($22.4 million) or 4% of global annual turnover, whichever is higher.

The £183 million penalty corresponds to 1.5% of BA’s global annual turnover for 2017. The maximum penalty would have been close to £500 million if its holding company, International Airlines Group (IAG), was found to be involved. The global annual turnover for IAG in 2017 was €2.27 billion.

Under GDPR, entities that experience a breach involving the data of EU citizens must report the breach within 72 hours of discovery. BA announced its breach and reported the incident to ICO on September 6, 2018, one day after the breach was discovered.

The subsequent ICO investigation uncovered security failures that were exploited by hackers to gain access to BA’s website. Code was inserted which redirected visitors to a fraudulent website where personal information and credit/debit card details were stolen. According to ICO, the personal and financial information of around 500,000 customers was stolen. ICO said the breach occurred some time in June 2018 and continued until September 5.

The fine was not issued for the breach itself. ICO has said the fine reflects the seriousness of the security failures that opened the door to the hackers.

The ICO has only issued a ‘Notice of Intent’ to fine BA. BA now has 28 days in which to launch an appeal. “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Willie Walsh, chief executive of International Airlines Group.

The post British Airways Faces £183 Million GDPR Fine for 2018 Data Breach appeared first on HIPAA Journal.

AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology

Amazon Web Services’ chief technology officer, Werner Vogels, has been dispelling security myths about cloud computing at the Dublin Tech Summit in Ireland this week.

Concerns have been raised about the security of data stored in the cloud, especially following the discovery that 540 million Facebook records had been exposed on AWS: One of several high-profile data breaches that have involved AWS-stored data in the past 12 months.

Fears About Compliance and the Cloud

Companies required to comply with General Data Protection Regulation (GDPR) must ensure that the personal data of EU citizens is secured and kept private and confidential. Since GDPR came into effect on May 25, 2018, the potential penalties for data exposures have increased significantly. It is therefore understandable that companies are concerned about storing data in the cloud rather than on-premise infrastructure that they feel better able to secure.

Germany’s federal commissioner, Ulrich Kelber, spoke before Vogels at the Tech Summit and voiced his concerns about American cloud storage providers, stating that they should not be used for hosting police data as there was a risk of snooping. The federal commissioner was particularly concerned about the passing of the Cloud Act in 2018, which could allow federal law enforcement to gain access to data stored by U.S. technology companies.

Many companies in the United States are also wary about using the cloud for storing sensitive data such as protected health information, and the potential for HIPAA violations. As is the case with GDPR, the penalties for data exposure can be severe and, for small healthcare organizations, potentially catastrophic.

Vogels explained that cloud security should not be a concern and storing data on AWS is perfectly secure. His advice to all AWS users is “encrypt everything,” but at a minimum, make sure that all personally identifiable information is encrypted.

By encrypting data, companies can meet the requirements of GDPR, HIPAA, and other federal and state regulations. As for the Cloud Act, if a technology company is issued with a warrant to release data, if the AWS customer has encrypted their data using modern encryption standards, and only they hold the key to decrypt the data, it is perfectly secure. Any conversation about data access is then between law enforcement and the customer. AWS will not be involved.

Vogels also explained that AWS has improved its controls to make it harder for data to be exposed. All customer information is now closed off by default. It takes a deliberate action to remove AWS protections and leave data accessible. Should that happen, major red flags are raised.

Vogels said, “We’re very strong believers that the best way to help our customers protect themselves from whatever bad actors you can imagine is to ensure encryption is as easy to use as any other digital service.” Encryption is offered through AWS to make securing sensitive data as easy as possible.

Voice Technology Has Huge Potential

Vogels also spoke about one potential big area for Amazon. Big even by Amazon’s standards. Vogels said Amazon is not looking to invest in technologies that will add $100 million to the balance sheet. Amazon is looking for billion-dollar plus opportunities. Alexa voice technology is a prime example.

Amazon Alexa is the leading voice technology and has already found uses in healthcare. HIPAA was something of a stumbling block as the regulations covering protected health information are strict, but Amazon has recently solved that problem. Amazon is offering business associate agreements to a select group of companies and has made sure that its voice tech can transfer data securely in a manner compliant with HIPAA Rules. Last week Amazon announced that six new healthcare skills had been launched that could be used in connection with PHI. The company will be collaborating further with healthcare organizations, although by invite only at this stage.

Skills have also been developed by WebMD which allow users to ask questions about their symptoms using voice commands rather then entering information on a website. These skills are just the tip of the iceberg and the potential uses of voice technology in healthcare are huge. Alexa could even be used by people to gain access to healthcare information stored in their EHRs in the not too distant future.

Vogels certainly believes voice technology is the way forward and thinks voice commands will be the main way that people interact with digital systems in the future.

The post AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology appeared first on HIPAA Journal.

59,000 Data Breaches Reported to GDPR Supervisory Authorities: 91 Fines Issued

A new report from DLA Piper indicates 59,430 data breaches have been reported to EU supervisory authorities since the GDPR compliance deadline of May 25, 2018. The majority of the data breaches have been reported in the Netherlands (15,400), Germany (12,600), and the United Kingdom (10,600).

The Netherlands saw the highest number of breaches per capita, followed by Ireland, and Denmark. It is worth noting that many non-EU companies have registered bases in EU member states and any data breaches experienced by them count toward the total for the country where their European HQ is established. Many non-EU firms, including Google, Facebook, Twitter, and Microsoft, have chosen Ireland for their European base.

Obtaining accurate numbers for data breach reports was a challenge. Official EU figures suggest that there had only been 41,502 data breaches reported between the compliance deadline and January 28, 2019; however, those figures do not include Norway, Iceland, and Lichtenstein, which are not members of the EU but are part of the European Economic Area (EEA). The official figures also only included data breaches reported in 21 of the 28 member states.

The data for the DLA Piper report came from breach notifications filed in 23 EU member states and by EEA members. Data breach reports have not been made public in Bulgaria, Croatia, Estonia, Lithuania, and Slovakia.

The number of data breaches reported so far appears higher than before GDPR came into effect. That does not mean there has been an increase in data breaches, only that more companies are reporting breaches and breaches are also being reported more quickly. GDPR requires breach notifications to be issued within 72 hours of the discovery of a breach.

Financial Penalties for GDPR Violations and Data Breaches

DLA Piper has been tracking GDPR fines since the compliance deadline. To date, 91 financial penalties have been issued. Financial penalties can be issued for any violation of GDPR. In addition to data breaches, GDPR supervisory authorities investigate complaints about privacy violations. It was such a complaint that resulted in the largest GDPR violation penalty issued to date: The €50 million ($57 million) fine for Google issued by the French supervisory authority, CNIL.

The supervisory authorities in Germany have been the most active enforcers of GDPR since the May 25, 2018 compliance deadline. 64 of the 91 fines have been issued in Germany. Those fines include the two largest financial penalties for companies that have experienced data breaches.

The chat platform Cuddles was fined €20,000 ($22,700) by the German Data Protection Authority LfDI for storing users’ passwords in clear text. LfDI also issued an €80,000 ($91,000) financial penalty to an organization that published health information on the internet – The second largest GDPR data breach fine to date.

Only a relatively small number of fines have been issued in relation to data breaches; however, many supervisory authorities are struggling with the volume of breach notices they have received and there is a considerable backlog to get through. Some data breaches reported in 2018 may still result in fines.

DLA Piper notes that the majority of the fines issued to date have been relatively low; much lower than the maximum penalty of €20 million or 4% of global annual turnover, whichever amount is higher. DLA Piper anticipates there will be several fines of tens or even hundreds of millions of euros issued in 2019 once the supervisory authorities have cleared the backlog of data breach reports and GDPR complaints.

The post 59,000 Data Breaches Reported to GDPR Supervisory Authorities: 91 Fines Issued appeared first on HIPAA Journal.