The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website for waiting longer than 72 hours to report a data breach. According to the Dutch DPA press release, learned of the breach on January 13, 2019 and reported it to the DPA on February 7, 2019. The DPA did not make it clear in that release whether had, in fact, determined on January 13, 2019 that a security breach impacting personal information of Dutch citizens had occurred or whether January 13, 2019 was date that was first alerted to suspicious activity.

The situation arose when hackers persuaded hotel staff to reveal their account log-in details. The hackers then used these credentials to log into, and stole information of more than 4,109 customers, including names, addresses, phone numbers and details about their bookings. Also taken was a smaller number of credit card numbers (283) and along with security codes for a smaller percentage (97). notified impacted individuals on February 4, 2019, three days before it notified the Dutch DPA. The DPA decision was based only on late notification, not for causing or being at fault for the underlying breach.

Putting it into PracticeThis decision is a reminder that EU regulators expect to be notified within 72 hours of a company “becoming aware of a personal data breach.” This would in almost all circumstances occur before notification to individuals. Companies should take care to continuously scrutinize the facts being gathered and discovered during an investigation to be able to track the date on which they first discover facts that would confirm or suggest a personal data breach has occurred.