Netherland’s data protection authority has imposed a fine of 475 000 EUR on Booking.com for a belated notification of a personal data breach to the supervisory authority. The incident happened back in December 2018, during which criminals targeted 40 hotels in the United Arab Emirates and thus illegally obtained data about 4 100 individuals who booked rooms at these hotels through Booking.com.
Criminals obtained the names, surnames, dates of birth and other personal data, together with access to almost 300 individual bank cards, of which 97 also had their security number stolen.
Booking.com learned about the incident on January 13th, 2019. Despite the obligation to inform the supervisory authority within 72 hours has been failed, the company submitted the notification about the incident 22 days late – only on February 7th 2019.
According to the data protection authority of the Netherlands, the clients of Booking.com are always at risk of large-scale personal data theft, thus the company has a major responsibility on ensuring the protection of the personal data protection on the millions of their individual clients, including the obligation to notify the data protection authority immediately if such an event occurs.
What can we learn?
- Implement breach detection, investigation, and internal reporting procedures at your company. You will be prepared in advance for crisis management, and this will facilitate decision-making, responsibilities, etc.;
- If a personal data protection breach occurs in your company, you are required not only to take actions to mitigate the outcome of the breach but also to inform the data protection authority immediately, within 72 hours;
- Keep a record of any personal data breaches, and an investigation report;
- Where feasible, ensure fair communication with affected data subjects and explain to them how to mitigate the risks;
- Ensure both external and internal communication about the data breach;
- Make an action plan on how to prevent similar issues in the future.
- Train your staff;
- Ensure continuous monitoring of IT systems and improvement of cybersecurity systems;
- Perform regular IT security tests and/or audits.
How companies should act in cases of data breaches.
How to deal with a cyber-attack.
Prepared by Andrius Karmonas, ECOVIS ProventusLaw associate