Corporate earnings forecasts for the second quarter were lowered so much that companies are easily beating them.Market Insiderread more
The central bank is not normally in the business of easing into an economy that is showing few signs of a recession, generally holding fire until more pronounced signs of a...The Fedread more
His case for gold comes as central banks get more aggressive with policies that devalue currencies and are about to cause a "paradigm shift" in investing.Marketsread more
Challenging conditions in the U.S. housing market, along with tighter currency controls by the Chinese government, cause a stunning drop in foreign demand for American homes.Real Estateread more
House Speaker Nancy Pelosi says she wants her chamber to vote on a debt ceiling and budget deal by July 26.Politicsread more
Philips has acquired a start-up that texts you about your poop. That's Medumo, a Boston-based company, which works with hospitals to guide their patients through common...Technologyread more
The "'Cadillac tax," set to go into effect in 2022, is unpopular with both Republicans and Democrats, who say it punishes the middle class.Health and Scienceread more
Federal Judge William Pauley wrote in a court filing made public Wednesday that materials related to a campaign finance probe of Cohen should be unsealed — and denied a...Politicsread more
The U.S. economy continued growing at a "modest" rate in recent weeks, with consumers continuing to spend and a "generally positive" outlook overall even in the face of...Economyread more
CSX said it expects revenue to fall as much as 2% in 2019, well below a previous forecast of an increase of 1% to 2%.Marketsread more
Facebook's head of Calibra David Marcus is grilled during a House Financial Services Committee hearing over the company's digital currency plans.Technologyread more
British Airways and Marriott received the largest-ever fines under the EU's new General Data Protection Regulation this past week.
The U.K. Information Commissioner's Office (ICO) fined British Airways a proposed $230 million for an incident that took place from June to September 2018 and compromised the data of 500,000 customers. The ICO gave Marriott a $123 million proposed penalty for the loss of 339 million guest records, reported in November 2018. Both companies have the opportunity to respond to the fine before the ICO issues a final decision, and both companies already indicated they will appeal the decision.
But the GDPR fines were important for reasons well beyond numbers. The GDPR is a very broad rule with little detail, and companies have had few insights into how regulators in the EU would interpret the law, particularly what they would consider "adequate" security measures.
The maximum GDPR fine is 4% of a company's global turnover. The fines for BA and Marriott both represented 1.5% of their respective turnover, and the commission said both companies cooperated fully with their respective investigations.
This makes the stakes particularly high for tech companies like Google and Facebook, which are either currently under investigation in the EU, and for whom the legislation essentially was tailor-made. Google could face a fine of up to $5 billion, and Facebook up to $2.2 billion, based on both companies' annual revenue in 2018.
Earlier this year, the ICO indicated it would investigate Google over leaking of customer data from its advertising platform. Google has already faced scrutiny and fines under the GDPR from France's regulator, with a $57 million penalty levied in January for "lack of transparency" and valid consent controls for users, among other issues.
Facebook has also received modest penalties for the Cambridge Analytica scandal, in which users weren't given proper notice that a survey was being used for political research and advertising. The company incurred a modest fine of $644,000 for that incident, but is currently under investigation for a breach of usernames and passwords on its Facebook and Instagram platforms that could be far more costly.
The decisions included punitive language that has been uncommon in the privacy enforcement arena, particularly in the U.S., where companies are traditionally treated as victims of cybercrime first, rather than perpetrators of data loss.
This standpoint was reflected in a statement, filed with the Securities and Exchange Commission by Marriott CEO Arne Sorenson:
"We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. "
In fact, the European Data Protection Board questioned how well Marriott had vetted and protected data when it acquired Starwood in a $13.6 billion deal that closed in 2016.
"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," the board said.
The commission said less about its fine of British Airways, but the relatively short-term breach and relatively small number of affected customers show the commission may build past data security issues into its equation as well. British Airways parent IAG said it was "surprised and disappointed" by the decision, and said it would "vigorously" defend its stance.
While it's still to early to know what will happen after the companies contest the fine, companies are focusing closely on the early wording of the rulings by the commission, said Paul Ferrillo, partner in the cybersecurity practice at law firm Greenberg Traurig.
"The proposed fine against Marriott should serve as notice to other companies both under investigation now, and investigated down the road, that the fines and penalties provision of the GDPR is the real deal," he said. "We are no doubt on notice of more fines and penalties to come by the EU regulators."
The ICO has also shown it will focus on companies it sees has having been "lax in their responsibilities," not just every corporation large and small that has a data breach, said Chet Wisniewski, principal research scientist at U.K.-based cybersecurity company Sophos.
"If this happened for years and you didn't remedy the system, and you had lots of chances, that's where the ICO might punish more," he said. "Marriott in particular will draw everyone to the M&A aspect of this, and how companies should ask [businesses they are about to acquire] 'what kind of private information do you have on our customers, what procedures and security measures do you have in place?'"
The rulings should give companies a reason, once again, to evaluate whether their security measures are enough to withstand the ICO's scrutiny, Ferrillo said. They should also "reassess the amount and sufficiency of their cybersecurity insurance coverage," to be certain a hefty GDPR fine is covered, he said.