One of the big stories in cyber insurance this week centers on the report about being 'under the gun' by EU regulators for a data breach.
Potentially exposing personal information on up to 383-million guests, this is a Biggie that EU regulators assessed at $123-million.
Or, is it so big?
On the face of it, this is a mere slap: US$ 0.32 per record if you use the total exposed records cost. But, that’s anywhere near the real cost of damage.
You see, this breach, discovered in 2018 had been underway from 2014. What’s more, it likely cost Marriott throwing away a whole Starwood data reservation system. It’s what you do when regulators are on your case about 30-million hotel guests from the European Union who may have had their personal and credit data exposed.
Which gets us to the points:
The first is, the cost-per-breached record isn’t 32.11 cents a pop. The EU penalty is for their 30-million guests. That pencils out to $4.10 per record. The data and reservation system costs will likely show up in a Marriott notes to the financial statement.
The second point is this:
Keep a sharp eye on what happens with the European Union regulators: They work like this, as TechCrunch reported:
"Under the new GDPR regime, the ICO has the right to fine up to 4% of a company’s annual turnover. Given Marriott made about $3.6 billion in revenue during 2018, the ICO’s fine represents about 3% of the company’s global revenue."
There has been some misunderstanding of the EU's GDPR and global revenue.
The key thing is the EU has an odd way of calculating things (ask Google!). They use 4% of worldwide and say it's a basis for calculating their fines.
Other descriptions come to mind, but it does't matter. If you have a website reachable in Europe, you need to know the GDPR rules and the exposures.
An ounce of insurance is worth a pound of fire, remember?