When French regulators cited Europe's fledgling General Data Protection Act in fining Google $57 million earlier this year for playing fast and loose with consumer data in personalizing ads, experts called what was then the biggest fine issued under the new law the "tip of the iceberg."
It didn't take long to start exposing the rest of that iceberg. Two more companies—British Airways and Marriott—have been slammed with even larger fines related to recent breaches.
The U.K.'s Information Commissioner's Office (ICO) on July 8 cited GDPR in announcing it would seek a $230 million fine against British Airways (equal to 1.5 percent of the company's annual revenue) for a September 2018 breach in which attackers accessed the protected data of nearly 500,000 customers through the airline's website and mobile applications. The ICO alleged that ineffective security practices were to blame.
A day later, the ICO added Marriott to the list, saying it intends to seek nearly $124 million from Marriott (or 3 percent of its annual revenue) for a breach that saw hackers maintain access to the Starwood guest reservation database between 2014 and 2018, compromising 383 million customer records.
Both companies have said they plan to appeal the fines, once they are officially levied. (The GDPR allows for fines as high as 4 percent of a company's annual revenue.)
The message ICO is sending to businesses, and that France's Commission nationale de l'informatique et des libertés (CNIL) sent with its Google fine earlier this year, is clear: Now that we've got this powerful new tool we can wield, get your data security practices in order or suffer the consequences.
"When you are entrusted with personal data you must look after it," ICO Commissioner Elizabeth Denham said in a statement about the British Airways fine. "Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Both fines clearly establish that big tech companies aren't the only ones who should fear the wrath of European agencies backed by the GDPR. What's more, the British Airways fine also sends the message that the GDPR will be used as more than a tool to keep overseas companies from failing to honor European privacy standards; it will be used to keep European companies in line, too.
Still, with plenty of momentum building in the U.S. for a GDPR-like federal privacy regulation, American companies face a thornier-than-ever regulatory future on the privacy front as consumers grow more uncomfortable with how their data is being treated.
Nearly half of surveyed Americans told the Pew Research Center two years ago that they felt their data was less safe than it was five years earlier, and that number has surely risen since then, amid a steady stream of large scale breaches of trust, highlighted by the Equifax hack and the Facebook/Cambridge Analytica scandal.
(While on the topic, it's worth pointing out that Facebook's responsibility in the Cambridge Analytica episode is likely to get the GDPR treatment at some point. Facebook, which just reached a $5 billion settlement with the FTC that has onlookers bristling, is still fighting a paltry $653,000 fine from the ICO that was the maximum the agency could levy prior to GDPR.)
Given all of this, it should come as no surprise that cybersecurity spending is on the upswing. A recent global survey of nearly 500 companies found that security investments will rise an average of 34 percent in the next fiscal year, up from a 17 percent increase during the current fiscal year. That's good news for security vendors, and a reflection of how good business is for bad guys.
What this increased investment will mean for consumers and their data will depend on how well that money gets spent.
For clues to what it will be spent on, Gartner analyst Brian Reed shared enterprise security spending priorities over the next few years at the consultancy's security summit in Maryland last month. Topping the list was cloud access security brokers, with an expected compound annual growth rate of 46 percent through 2022, followed by encryption (24 percent), threat intelligence (21 percent) and privileged access management (17 percent).
Maybe he needs to add another item to the list: GDPR compliance.