On 31 March 2021 the Dutch Data Protection Authority (DPA) announced that it fined the online reservation platform Booking.com €475,000 for failing to notify the DPA of a data breach within the timeline established in the GDPR.
The decision signals European regulators’ growing scrutiny of how companies exercise discretion in incident response decisions. Recently, Goodwin reported on the Irish Data Protection Commissioner’s fine on Twitter for similarly not meeting data breach notice timing requirements.
According to the DPA, the breach occurred in December 2018, when cybercriminals, through a telephone scam, obtained the login credentials to a Booking.com system from employees at various hotels in the United Arab Emirates. The perpetrators used the credentials to access reservation data, including the names, addresses, contact information and booking details of more than 4,000 consumers, and credit card information of nearly 300 consumers, including CVV security codes. They also attempted to phish the credit card information of other consumers by misrepresenting themselves as Booking.com employees over the phone and by email.
Timing of Breach Notice
The DPA challenged the timing of the company’s breach notice. Booking.com received multiple initial reports of potential phishing activity from one of the affected hotels during the first half of January 2019. The first report was on 9 January 2019, and described an incident in which a consumer received a suspicious call that prompted the individual to provide details about their reservation. On 13 January 2019, the same hotel informed the company about a similar complaint made by another consumer. The 13 January complaint prompted the company to launch an investigation. Booking.com notified affected consumers several weeks later, on 4 February 2019, once the company completed its investigation and concluded that at that point it suffered a data breach. It notified the DPA on 7 February 2019.
GDPR Notice Timing Requirements
The DPA (Booking.com’s lead privacy regulator) determined that Booking.com did not notify the authority of the breach within the 72-hour deadline required under Article 33 GDPR, which requires organizations (to the extent they are controllers) to notify data protection authorities without undue delay and, where feasible, not later than 72 hours after having become “aware” of the breach (unless the breach is unlikely to result in a risk to data subjects).
GDPR guidance interprets “awareness” as “a reasonable degree of certainty” that a security incident has occurred and compromised personal data. One key requirement is for the organizations to begin the investigation as soon as possible after being notified of an incident.
The DPA concluded that Booking.com failed to launch a timely investigation by not acting on initial reports of phishing it received about the incident and waiting until the 13 January 2019 notice to launch the investigation.
The DPA disagreed with Booking.com’s assessment of when Booking.com should be considered to be “aware” of the breach and stated that it viewed Booking.com as having established such “awareness” well before the company completed the investigation. The DPA took the position that, for purposes of triggering the 72-hour breach notification clock, the company became “aware of the incident” as early as 13 January 2019, when it received the second notice from one of the hotels.
Based on the press release, it appears the DPA viewed the 13 January notice as establishing awareness because the information in that notice was sufficient to satisfy GDPR Art. 33’s harm threshold for notification, irrespective of whether ultimately the company would determine (as it did) that the breach affected credit card numbers. This is because, in the DPA’s view, it was the nature of the attack — phishing — that met the harm threshold, without more. After receiving the second notice, according to the DPA, the company was “aware” that “Booking.com customers were at risk of being robbed. Even if the criminals didn’t take credit card details but only someone’s name, contact details and information about their hotel booking […] the scammers used that data for phishing.”
Takeaways For Businesses
- DPAs are digging deep in reviewing companies’ analysis regarding their incident response. As the Booking.com decision and the recent Irish Twitter case show, DPAs may disagree with a company’s own assessment about when the GDPR 72-hour deadline starts. Businesses should not expect leniency for late reporting. Indeed, review of companies’ cybersecurity practices are within the enforcement priorities of several EU privacy regulators, including the French CNIL’s 2021 enforcement agenda. Establishing robust and clear internal reporting channels will be fundamental to facilitate prompt awareness and the timely notification of data breaches.
- The decision changes the calculus of reasonable assumptions companies make in investigations. Regulators will scrutinize these assumptions without deference to companies’ decisions. This is especially important for outside counsel to consider when advising companies on risks associated with decisions that they typically view as in the “gray zone.”
- Companies should consider being more conservative in launching an investigation early. An initial notification to the DPA should be filed as soon as possible once the company has been presented with evidence that a data breach under the GDPR may have occurred (which might happen before the company completes even an initial investigation). Companies can rely on Article 33(4) of the GDPR (so-called notification “in phases”) to provide additional details about a breach following initial notice to the DPA, as soon as the information is available.
Federica De SantisAssociate