The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website Booking.com for waiting longer than 72 hours to report a data breach. According to the Dutch DPA press release, Booking.com learned of the breach on January 13, 2019 and reported it to the DPA on February 7, 2019. The DPA did not make it clear in that release whether Booking.com had, in fact, determined on January 13, 2019 that a security breach impacting personal information of Dutch citizens had occurred or whether January 13, 2019 was date that Booking.com was first alerted to suspicious activity.
The situation arose when hackers persuaded hotel staff to reveal their Booking.com account log-in details. The hackers then used these credentials to log into Booking.com, and stole information of more than 4,109 Booking.com customers, including names, addresses, phone numbers and details about their bookings. Also taken was a smaller number of credit card numbers (283) and along with security codes for a smaller percentage (97). Booking.com notified impacted individuals on February 4, 2019, three days before it notified the Dutch DPA. The DPA decision was based only on late notification, not for causing or being at fault for the underlying breach.
Putting it into Practice: This decision is a reminder that EU regulators expect to be notified within 72 hours of a company “becoming aware of a personal data breach.” This would in almost all circumstances occur before notification to individuals. Companies should take care to continuously scrutinize the facts being gathered and discovered during an investigation to be able to track the date on which they first discover facts that would confirm or suggest a personal data breach has occurred.