sdecoret - stock.adobe.com

Billion-dollar privacy penalties put CEOs on notice

Facebook’s potential $5bn settlement with the FTC follows notifications of planned GDPR fines for British Airways and Marriott International, underlining the importance of data stewardship

Recent regulatory action against Facebook, British Airways and Marriott International shows that companies are being held accountable for protecting personal information.

The US Federal Trade Commission (FTC) reportedly approved a $5bn settlement with Facebook following a probe into the social networking firm’s data practices in relation to the Cambridge Analytica data exploitation scandal.

News of the settlement, which still has to be approved by the US Justice Department, came in the same week as the UK’s Information Commissioner’s Office (ICO) issued a notice of its intention to fine British Airways £183.39m and Marriott International £99m for infringements of the General Data Protection Regulation (GDPR).

The unprecedented penalties imposed on Facebook, Marriott and British Airways should serve as a warning for company leaders, according to Tom Turner, CEO of cyber security ratings firm BitSight.

“CEOs around the globe are on notice that they are accountable for cyber security performance management just the same way they are accountable for managing the business,” he said.

Commenting on the FTC settlement, Nuala O’Connor, president and CEO of the Center for Democracy & Technology (CDT), said: “The record-breaking settlement highlights the importance of data stewardship in the digital age.

“The FTC has put all companies on notice that they must safeguard personal information,” she said, adding that privacy regulation in the US is “broken”.

While large after-the-fact fines matter, O’Connor said strong, clear rules to protect consumers are more important, and called on the US Congress to pass a comprehensive federal privacy law in 2019.

The regulatory action of the past week should make IT asset managers aware that regulators are paying attention to companies’ due diligence regarding privacy practices, according to the International Association of Information Technology Asset Managers (IAITAM).

“We’ve been advising organisations for more than a year that privacy laws are changing, and due diligence is going to be imperative,” said Barbara Rembiesa, president and CEO of (IAITAM).

 “Organisations with mature IT asset management programmes already have a programme in place that can help address vulnerabilities in due diligence, even when it comes to personal privacy,” she said.

The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems.

Information commissioner Elizabeth Denham said the GDPR makes it clear that organisations must be accountable for the personal data they hold.

“This can include carrying out proper Due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” she said.

The IAITAM said IT asset managers have a wealth of information available to them, and that data can be used to help organisations make critical decisions about how they handle personal and private data, noting that the organisation defines legislation as one of 12 foundational components of a mature ITAM programme.

With fines and settlements for breaking data privacy rules being in the billions and growing, the IAITAM said organisations must reflect on how they collect and store private data from their users or customers.

Although many larger organisations also have privacy teams, the IAITAM said an IT asset managers should be involved in making high-level decisions regarding privacy policies because a practitioner’s information could help an organisation save billions in settlements and fines due to his or her knowledge of the laws and the uniqueness of the organisation’s IT environment.

Despite the fact that the proposed settlement with Facebook dwarfs the FTC fine levied on Google of $22.5m, critics say a settlement of $5bn is insignificant, amounting to little more than a “slap on the wrist” for a company that reported more than $15bn in revenue in the first three months of 2019, according to The Guardian.

Read more about GDPR

Read more on Privacy and data protection