Facebook, Marriott Face Fines Over Privacy Missteps: Will it Matter?

It is time to pay the piper, or rather fine the piper, but is it enough/? Facebook and Marriott are just the latest organizations to receive hefty fines due to privacy gaffes.

According to reports, the Federal Trade Commission endorsed an estimated $5 billion settlement with Facebook Inc. over the company’s 2018 Cambridge Analytica data compromise, and the social media giant’s privacy slipups.

The fine, approximately 9% of Facebook’s 2018 revenue, represents the largest ever imposed by the FTC against a tech company, surpassing the $22.5 million penalty levied against Google in 2012 due to its privacy practices.

Not everyone agreed with the penalty’s efficacy.

“Given Facebook’s repeated privacy violations, it is clear that fundamental structural reforms are required,” Sen. Mark Warner (D-Va.) said in a statement. “With the FTC either unable or unwilling to put in place reasonable guardrails to ensure that user privacy and data are protected, it’s time for Congress to act.”

Facebook’s privacy issues intensified last year when the social network revealed cyberattackers took advantage of its code to access – and possibly expose – the personal information of nearly 185 million user accounts.

The Cambridge Analytica episode, involved up to 87 million users’ data, but there were other Facebook-connected data incidents in 2018 as well. Earlier this year, researchers found two Amazon Web Services servers storing over 540 million records collected by two third-party companies from the social network.

Dan Goldstein, president and owner Page 1 Solutions, said, “It’s unfortunate that online security and privacy have become a party-line issue. The FTC regulators had an opportunity to make a real statement on acceptable corporate conduct, but the reports of political infighting cheapen that message,” Goldstein pointed out. “The real ‘teeth’ of this announcement will come not from the $5 billion settlement. Facebook is worth hundreds of billions of dollars, so this amount is practically a drop in the bucket. I am more curious about the regulations expected to accompany the terms of the settlement.”

Pravin Kothari, founder and CEO of CipherCloud, said: “We’ll see more and more regulators ‘bring the hammer down’ and levy some of the largest fines ever seen in an effort to drive data privacy and raise awareness. This time it is the FTC, the next could be GDPR or the upcoming California Consumer Privacy Act, followed by many other privacy regulators worldwide.”

Tim Erlin, vice president, product management and strategy, at Tripwire, held, “While this is clearly a substantial fine by any measurement, the real question is whether it will ultimately change any of Facebook’s policies or practices.” Erlin added consumers do not have control over their data use, and how to evaluate whether practices have changed. “At best, consumers can evaluate whether Facebook’s marketing around privacy changes.” Erline added, “Other organizations should take notice of this fine as a warning that the FTC will issue meaningful fines for privacy violations.”

Meanwhile, the U.K. Information Commissioner’s Office said it will serve hotel chain Marriott with a £99 million ($123 million) fine for a 2018 data breach in which some 387 million guests had names, birthdates, gender, addresses, and passport numbers stolen after unauthorized parties gained access to reservations made from 2014 to 2018. (British Airways was also fined the equivalent of $230 million by the ICO for its breach of 500,000 customers’ credit card information.)

The U.K.’s data protection authority said it discovered Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” The breach affected about 30 million European Union residents, according to the ICO. But Marriott said it intends to respond and vigorously defend its position before the fine’s imposition.

“These fines make it clear — executives and boards are responsible and accountable for cybersecurity,” Jake Olcott, vice president at BitSight, said. “It has never been more important for them to understand and manage their organization’s security performance just like they would manage any other critical business issue. When it comes to cybersecurity, ongoing briefings, regular reporting, and performance metrics are no longer nice to have — they are required.”

Jonathan Bensen, chief information security officer, Balbix, stated, “Marriott’s data breach last year stands as one of the largest to occur by number of records exposed behind Yahoo’s 2013 breach of 3 billion records and First American Corp’s breach of 885 million records this year.” Bensen noted organizations must scan and monitor not just the organization-owned and managed assets, but also all third-party systems to detect vulnerabilities.

“We are living in a world where there are hundreds of thousands of threat actors around the globe continuously trying to exploit vulnerabilities,” Chris DeRamus, chief technology officer and co-founder, DivvyCloud said. “Regardless of how the breach occurs, typically, it’s because of an approach to security that is manual and periodic rather than continuous.”

Anurag Kahol, CTO and co-founder, Bitglass, stated, “Data breaches that remain undetected for an extended period of time highlight the inadequacy of the reactive security solutions that many organizations rely upon today. Organizations need to adopt flexible security platforms that proactively detect and respond to new threats as they arise, enforce real-time access control, encrypt sensitive data at rest, control the external sharing of data, and prevent the leakage of PII.”

Chris Kennedy, chief information security officer, AttackIQ, said, “The Marriott Starwood breach is another example of a merger and acquisition where testing the resiliency of the current security controls would have assisted in both the visibility of gaps and discovery that Starwood Hotels was already breached. As organizations are evaluating companies for M&A deals, it is imperative the cybersecurity posture and incident history is evaluated.”