GDPR Fines: So now we know

Copyright © 2016 Alexey Novikov

Over the past few years, as companies I work with have been getting ready for GDPR, everyone knew about the potential fine size, but no one really knew if they’d be as big as they could be.  Now we know.

In the past few days, Marriott ( and BA ( were both hit with $100M+ fines for breaches. While both are going to appeal, the benchmark has been set, and we now know that the regulators are serious about enforcement.  One interesting fact – if the reports are accurate, Marriott is being finedunder the GDPR, while the breach occurred beforeit went into effect.   That certainly changes the risk equation, as retroactive security is, alas, still beyond our ability today.  I suspect we’ll see a similar seriousness with CCPA (the new California regulation), though those costs will include consumer litigation as well.

So what’s an organization to do?  Protecting against breaches is still critical, but they’re still going to happen.  I’d argue that early detection and quick response are table stakes in the current regulatory environment.    Recent studies show that lateral movement begins with 18 minutes of the initial breach, and data exfiltration can quickly follow.  Now to be fair, you’re probably not going to lose 90 million records overnight, but for a smaller firm, losing hundreds of thousands is still enough to close the doors.

Which leads to the big gap I see, particularly at smaller companies – business hour security isn’t enough anymore. At a minimum, after hours tier-1 with a rapid on-call escalation process, but for larger organizations it may include 7×24 investigation as well.  On top of that, I’ve seen a lot of teams focusing on improving detection over the past couple of years, to good effect, but without the ability to acton alerts very rapidly to stop a breach in progress, improved detection quickly reaches a limit.  Automation for remediation is critical – both to ensure it occurs rapidly, but equally important is that it happens in a controlled and planned manner in a stressful situation.  Running through the data center yanking cables to stop ransomware isn’t exactly an ideal response approach.

In one of my keynote talks, I note that security is an information management problem – without good information you don’t know what’s going on, and without taking action on that information, there’s little point in knowing.  The answer to GDPR, CCPA and other regulatory risk is to ensure that your security information lifecycle is complete, active, and effective.

, , ,


  1. Michael Tsai - Blog - GDPR Fines: So Now We Know - July 10, 2019

    […] Doug Lhotka: […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.