Untangling GDPR fines with Synopsys' Tim Mackey

Recent GDPR fines levied against Marriott and British Airways highlighted the uncertainty in how penalties are determined, but Tim Mackey, principal security strategist at Synopsys Inc., has tried to untangle the mystery.

According to the GDPR, fines are based on 10 criteria, including the nature of the infringement, level of negligence, what was done to prevent the breach, how the company responded to the breach and more. The regulations also set maximum limits on GDPR fines based on the type of infringement.

Despite these broad guidelines, Mackey noted that there are many subtleties and unknowns in how different regulators will interpret and apply the criteria when determining fines.

And, while GDPR regulators are figuring out those norms, Mackey said the nascent privacy laws in the U.S. have a major flaw in how they view modern business operations.

Editor's note: This interview has been edited for length and clarity.

Has there been a pattern emerging between the data breaches and the GDPR fines being levied?

Tim Mackey: We're still in early days on what criteria the various regulators are using to determine how big of a fine to levy. At this point we've only got three truly major fines under our belts: The Google one in January, the Marriott one and [British Airways]. I tried to determine if there was any kind of taxonomy they might have been using.

Marriott is a bit of a challenge because it goes back to well before GDPR was in play. It's hard to tell if the ICO [Information Commissioner's Office] was looking at, "Well, how many records were breached subsequent to May 25th?"

In terms of a dollar value of the records themselves, clearly there was a higher dollar value placed on BA than on Marriott [$230 million vs. $121 million, respectively]. But what we're actually in right now is the moral equivalent of trying to figure out what damage to award in a court case. There's a lot of subjectivity involved, and we need to see a little bit of a shakeout.

In terms of the process itself -- and I've spoken to a couple of organizations who've gone through this firsthand -- the level of transparency that you have with the regulators really is key toward minimizing whatever the impact is going to be. How quickly was an organization able to detect that there was a problem? Was it all institutional as a problem? In other words, was it something that was well-known and just never really attended to, like the whole Equifax experience?

How do investigators interpret the guidelines for GDPR fines based on what data is involved in the breach? The British Airways involved payment cards and Marriott involved passports, but that didn't seem to be reflected in the fines that were handed out.

Mackey: It definitely wasn't. I have yet to see anything that has provided specific guidance that says, "This type of data shall receive a greater fine than another type of data."

What I've seen playing out so far is the duration under which the attack could have occurred. Whether it actually was occurring over that entire duration or not has been a factor. For example, if there was an issue and it was recognized within a few weeks, it was addressed quite quickly with the regulators, and the regulators themselves were very involved and engaged in it, then that seems to result in a lighter fine than something that has been more systemic over the course of many months or actually even years.

Take the Google fine from earlier this year and in the judgment of the CNIL [Commission on Data Processing and Liberty] issued. They gave a lot of detail around how they were determining what the impact of usage would be such that they weren't effectively levying a fine on Google for its global operations, but were limiting the fine to that which applied to EU residents.

I do see some indication that with Marriott, the ICO did the same thing, but there's not a lot of evidence. While the CNIL was more transparent, I wish the ICO was similarly transparent.

The British Airways incident affected 500,000 people total, not all of which would have been Europeans, whereas the Marriott breach affected 31 million Europeans. The fine was almost double for British Airways, so it doesn't feel like that is a major portion of what determines the fine.

Mackey: One of the things that will be very interesting to follow is there are appeals processing that are available to both; Marriott has filed with the SEC and BA has filed with the London Stock Exchange. I would hope that at least some level of that appeals process would become public record so we can understand the arguments being made. [Editor's note: the LSE has the lead role in regulation of Alternative Investment Market companies and investigating potential breaches of AIM rules.]

We see the same thing play out in damage awards in class action lawsuits or other civil trials. Juries come back with large penalties, which are then adjusted to be more realistic. There is an appeals process within the UK, and as part of that process I'd expect these nuances to be argued.

In the end, I fully expect all these early judgements to be appealed, but I suspect we might need to parse through the SEC filings and the like to really know the fine outcome.

You said GDPR regulators are very interested in companies being transparent with investigators, but also noted that the regulators themselves aren't always transparent with findings. What do you think about that?

Mackey: This could also be a case of there still being ongoing investigations. It did take about two years for the Senate Report on Equifax to come out. I hope that that's part of the process where there will be a deeper investigation and deeper disclosures.

In the context of Marriott, I would expect that on their next earnings call or with their next 10Q that they would have some level of risk associated with it. With the fine and the process behind it, we may see a little bit more there from Marriott.

What do you think about the requirement to disclose breaches, under the GDPR, within a few days, given how little investigations have revealed at that point?

Mackey: It's actually one nuance of the GDPR that people aren't fully aware of. That time window to disclose is to disclose to the breach regulators, not necessarily to the public. It's the company in cooperation with the regulators who determine the timeline for disclosure to the public and that could be longer than 72 hours.

That's where whatever your disaster response plan is going to start to dictate things because, for example, the regulators might want to hold off disclosure pending FBI-equivalent investigations. There may also be other entities that were in place -- say the credit card processor itself might also have been potentially put at risk -- so they want to ensure that either was or wasn't the case before going public so that they have a little bit more of a complete assessment as opposed to just some raw numbers.

The U.S. doesn't have a regulation in place like the GDPR. What do you see happening here?

Mackey: One of the more interesting scenarios that we have on the horizon is the California Consumer Protection Act that comes online in January. And given the size of California from a user base, it's definitely going to have an impact on data privacy and privacy expectations. And that's before you get into how many companies are actually based in Silicon Valley.

It definitely is already starting to inform laws in other states. New York is currently going through an assessment of what they call the Shield Act and, unfortunately, that particular piece of legislation as it's currently constituted is very focused on what happens after the breach.

Most states laws are focused on what happens after the breach rather than being slightly more prescriptive, if not fully prescriptive about things that you should be doing before a breach ever happens. It's basic stuff like, how long am I actually retaining this data for and how am I protecting whatever that backup copy looks like? What is my disclosure policy around where this data is actually stored?

With the complexity of modern applications, a lot of those decisions are being left to the technologists who don't necessarily have a grounding in the downstream privacy implications or regulatory implications of what's being done.

A perfect example would be, I personally fly Delta Airlines quite a bit, and Delta Airlines was subcontracting [part of] its online system through a company called [24]7.ai. And [24]7.ai was breached, 18 months ago or so and I ended up with a breach disclosure statement from Delta, not realizing that I ever in any way, shape or form been a customer of [24]7.ai.

That whole supply chain piece is going to be a more interesting scenario as we move forward and a level of complexity that a lot of these GDPR-like attempts aren't necessarily accounting for properly.

With the GDPR-like laws that are popping up in the States, then, the penalties are skewed more towards results rather than how it happened?

Mackey: It's more that the laws aren't structured around how modern application or modern service is going to be built. I go to pretty much any random shopping site, it's going to be the credit card processor that's going to be the fulfillment company; there might be a chatbot that's on the system; there might be outsourced customer support, customer service people.

This whole distributed nature of a modern web-based system is something that's not fully captured in a lot of these laws. They're very much centered on what happens inside your organization and not necessarily what happens with whoever you've selected as a vendor to supply service X.

To a certain extent, it's like if we were looking at a company from, say, 20 years ago, when everything was done very much inside their four walls. That's not true anymore.

Do you think that laws in the U.S. are going to become more similar to GDPR?

Mackey: Any legislation is going to take a little bit of testing in the real world to determine exactly how things are going to be enforced, and GDPR is going through this right now.

Globally, there's a lot of emphasis around having GDPR-like laws in various jurisdictions. Canada has its own, Brazil has its own, India has its own or is in the process of working through its own. We obviously don't have one right now and that actually is a complicating situation should someone end up being part of a breach data set that lives in a jurisdiction where the reporting requirements aren't as rigorous as they might be in California or New York.

If I pull my crystal ball out, we might be a solid six to eight years away from being able to reconcile what the separation of state responsibility and federal responsibility is to come close to having our own version of GDPR.