June 14, 2021

Volume XI, Number 165

Advertisement

June 11, 2021

Subscribe to Latest Legal News and Analysis

Booking.com Fined By Dutch DPA For Breach Notice Delay

The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website Booking.com for waiting longer than 72 hours to report a data breach. According to the Dutch DPA press release, Booking.com learned of the breach on January 13, 2019 and reported it to the DPA on February 7, 2019. The DPA did not make it clear in that release whether Booking.com had, in fact, determined on January 13, 2019 that a security breach impacting personal information of Dutch citizens had occurred or whether January 13, 2019 was date that Booking.com was first alerted to suspicious activity.

The situation arose when hackers persuaded hotel staff to reveal their Booking.com account log-in details. The hackers then used these credentials to log into Booking.com, and stole information of more than 4,109 Booking.com customers, including names, addresses, phone numbers and details about their bookings. Also taken was a smaller number of credit card numbers (283) and along with security codes for a smaller percentage (97).  Booking.com notified impacted individuals on February 4, 2019, three days before it notified the Dutch DPA. The DPA decision was based only on late notification, not for causing or being at fault for the underlying breach.

Putting it into Practice:  This decision is a reminder that EU regulators expect to be notified within 72 hours of a company “becoming aware of a personal data breach.” This would in almost all circumstances occur before notification to individuals. Companies should take care to continuously scrutinize the facts being gathered and discovered during an investigation to be able to track the date on which they first discover facts that would confirm or suggest a personal data breach has occurred.  

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 119
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
James Fazio Intellectual Property Attorney Sheppard Mullin Law Firm
Special Counsel

James Fazio is special counsel in the Intellectual Property Practice Group in the firm's San Diego (Del Mar) office.

Areas of Practice

James focuses on intellectual property and business litigation. He represents public and private companies in disputes such as those involving patent and trademark infringement, theft of trade secrets, fraud, breach of contract, unfair competition, false advertising and various business tort claims. James has more than 24 years of litigation experience and was selected by his peers among the top ten intellectual property...

858.720.7418
Advertisement
Advertisement