The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available in Dutch here.
Booking offers an online platform on which providers can offer travel and hospitality products and services to consumers, such as trip arrangements and accommodations. In December 2018, an unknown third party called various travel accommodations impersonating a Booking employee in order to obtain their username, password, and two-factor authentication code to gain access to the accommodations’ accounts in the Booking reservation system (so-called “social engineering”). Forty United Arab Emirates based travel accommodations fell victim to this fraud. The third party was able to log on to Booking’s system and access the personal data of over 4,000 individuals, including credit card details of more than 250 customers and credit card verification codes of nearly 100 customers.
An accommodation informed Booking on January 9, 2019 about a customer complaint relating to the incident. On January 13, 2019 the same accommodation informed Booking about a similar complaint made by another customer. In both cases, an unknown party who was familiar with these customers’ reservation details asked them to provide information including their date of birth and credit card details (so-called “phishing attacks”).
Booking notified affected customers on February 4, 2019 and the AP on February 7, 2019 after having conducted an internal investigation of the matter. The AP initiated an investigation into Booking’s compliance with the GDPR’s breach notification obligations because its notification to the AP indicated that the breach was discovered more than 72 hours prior to the notification date.
The AP decided to impose an administrative fine of EUR 475,000 because Booking failed to report a personal data breach to the AP within 72 hours of becoming aware of it.
Due to the cross-border nature of the case, the AP consulted other concerned supervisory authorities in line with the GDPR’s “one-stop-shop-mechanism.” The AP acted as the lead supervisory authority for the investigation as Booking’s head office is located in Amsterdam.
- When is a company considered to become aware of a breach?—The AP takes the position that a controller (or processor) becomes aware of a data breach when it has a reasonable degree of certainty that a security incident has occurred that compromised the personal data (this is in line with related EU guidance). In this case, the AP considers that Booking should already have inferred on January 13, 2019 that a security incident had taken place because: 1) the phishing attacks used exact details of reservations made through the Booking platform; 2) the accommodation manager who notified Booking of the customer complaints indicated that there likely had been a security incident in Booking’s system; and 3) the subject line of the second email Booking received about the incident on January 13 referred to “fraud,” “leaked guest information,” and “urgent.” The AP takes the view that Booking should have immediately started an investigation into the extent of the breach following these events and notified the AP of the breach within 72 hours.
- Negligence in internal breach reporting can be held against an organization—Booking’s internal incident response procedure was not correctly followed according to the AP: the accommodation did not report the incident through the designated partner portal (which would have directly informed Booking’s security team of the incident) and the Booking employee who received the email did not immediately escalate it to Booking’s security team. A data controller is obliged to carry out an investigation into a possible data breach upon each potential signal of a breach so that action can be taken in a timely manner and in line with the GDPR. This applies regardless of any breach reporting procedures that may have been agreed upon between parties (e.g., between Booking and the travel accommodations).
- When in doubt, consider a notification in phases—Because it is not always possible to have all the necessary information for a final notification within 72 hours after the discovery of a data breach, the GDPR permits reporting in steps. The AP opines that a notification can be made on a conditional basis, with supplemental filings as additional information becomes available. In this case, the AP decided that Booking failed to i) notify the AP of the breach without delay and ii) take timely action resulting in an “unreasonably” delayed notification. The AP further found that “Booking, instead of making a notification in steps, deliberately chose to first conduct a thorough investigation before making the required notification to the supervisory authority” and “this is not in line with the regulations laid down in the AVG.”
- Practical examples of risk mitigating actions—In calculating the fine, the AP took into consideration specific remedial actions taken by Booking to limit the damage including the fact that individuals had been notified about the breach and were advised to take risk mitigating measures; Bookings’ willingness to compensate damages suffered by individuals; the fact that affected third parties (i.e., travel accommodations) were immediately informed and warnings were posted on Booking’s platform. Based on these actions, the AP lowered its fine by EUR 50,000.
The AP’s decision reaffirms that companies are deemed to be aware of a data breach at the moment they have a reasonable degree of certainty that a security incident compromised personal data. This moment of “reasonable certainty” triggers the start of the GDPR’s 72-hour deadline for notification to the competent EU supervisory authority. Missing this deadline can result in regulatory investigations and fines. To mitigate the risk of a late notification, companies can provide notice in phases.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Jan Dhont, or another member of the firm’s privacy and cybersecurity practice.
 Art. 33 GDPR.
 The AP alleged a violation of Article 33(1) of the GDPR because Booking only notified the breach to the AP on February 7, 2019. According to the AP, this was 22 days too late as Booking had already become aware of the breach at least on January 13, 2019.
 Under article 56 and 60 GDPR, supervisory authorities have a duty to cooperate on cases with a cross-border component to ensure a consistent application of the GDPR (“one-stop-shop mechanism”). Under this mechanism, the “lead supervisory authority” is put in charge of the investigation and prepares a draft decision. The draft decision is submitted to the other concerned authorities, who work together with the lead authority to reach a final decision, which is issued by the lead authority.
 See AP decision, p. 21/27.