Breach Notice Delay Results in Fine for Booking.com – The National Law Review

breach-notice-delay-results-in-fine-for-booking.com-–-the-national-law-review

Did you know that geoFence is the solution for blocking NFCC countries?

April 29, 2021


Subscribe to Latest Legal News and Analysis

  • Federal Contractor $15 Minimum Wage Will Apply Beginning January 30,...
    by: Laura A. Mitchell
    and Leslie A. Stout-Tabackman
  • Workplace Safety Review Podcast: Episode 15
    by: Michael T. Taylor
    and Adam Roseman
  • Driving the Deal Podcast: Restructuring and Bankruptcy Considerations
    by: Kristian A. Werling
  • Booking.com Fined By Dutch DPA For Breach Notice Delay
    by: Liisa M. Thomas
    and Kari M. Rollins
  • Section 1031 Tax Deferred Exchanges: Implications of the Biden...
    by: Joseph E. Tierney IV
  • FLSA’s Extended Limitations Period Requires Plausible Factual...
    by: Jeffrey W. Brecher
    and Noel P. Tripp
  • Ontario to Introduce Paid Leave for Time Off Related to COVID-19
    by: Emily Cohen-Gallant
    and Caroline M. DeBruin
  • Apple’s App Tracking Transparency Now In Effect
    by: Liisa M. Thomas
    and Bridget Russell
  • FDA Signals Reporting Requirements for Clinical Trials Enforcement...
    by: Heather Hatcher, Ph.D.
  • Virginia Tech MAAP Releases New Report on Public Perception on Drone...
    by: Kathryn M. Rattigan
  • Refugees in Lehigh Valley Struggle to Get COVID-19 Vaccine
    by: Raymond G. Lahoud
  • European Union Moves Towards Mandatory Supply Chain Due Diligence:...
    by: Gabriela R. Da Costa
    and Jennifer P.M. Marsh
  • Artists Beware—Second Circuit Holds That Andy Warhol’s “Prince Series...
    by: Jonathon K. Hance
    and Joshua H. Gold-Quirós
  • Privacy Tip #282 – Apple’s New iPhone Privacy Controls
    by: Linn F. Freedman
  • Accounting and Auditing Enforcement Activity—2020 Review and Analysis
    by: Elaine M. Harwood
    and Alison M. Forman
  • Michigan Governor Gretchen Whitmer Announces “The MI Vacc to Normal...
    by: Steven H. Hilfinger
    and Robert Nederhood
  • Roetzel HealthLaw HotSpot: Is Private Equity Right for Your Practice...
    by: Ericka L. Adler
    and David J. Hochman
  • FEELING THE HEAT: Mortgage Company Blasted in New DNC TCPA Class...
    by: Eric J. Troutman
  • Episode 15: Interview with Mark Catlin, Industrial Hygienist, MDC...
    by: Michael T. Taylor
    and Adam Roseman
  • Metropolitan Washington D.C. Police Department Hit with Ransomware...
    by: Linn F. Freedman
  • What are the best practice areas for solo attorneys?
    by: Kamron Sanders
  • DOI’s Regulation of Offshore Wind Leases Coming Into Clearer Focus...
    by: Sarah Y. Dicharry
    and Meghan E. Smith
  • Senator Cornyn Considers Expansion of ITC’s Authority under Section...
    by: Adam R. Hess
    and Rory Murphy
  • Reverse Confusion Suit Not Ironclad, but SmartSync Lives On
    by: Joshua Revilla
  • Eversource Energy Notifies Customers of Data Breach
    by: Linn F. Freedman
  • BREAKING NEWS: Florida Privacy Protection Act Passes in Senate, Can...
    by: Kristin L. Bryan
  • The Ongoing US Vaccine Passport Debate
    by: Lara D. Compton
    and Bridgette A. Keller
  • The Churl Nextdoor
    by: Theodore F. Claypoole
  • Adobe Introduces Software to Replace Third-Party Cookies
    by: Kathryn M. Rattigan
  • Top 5 Frequently Asked Questions About Florida’s Assumption of Clean...
    by: Andrew J. Turner
    and Matthew Z. Leopold
  • California Legislature Considers Bills Supporting Hazard Pay for...
    by: Laura A. Pierson-Scheinberg
    and Kymiya St. Pierre
  • EPA Ends Priority Review of Surface Disinfectant Products, Shifts...
    by: Alan J. Sachs
    and Kathryn E. Szmuszkovicz
  • Podcast: Whistleblowing, Retaliation Risks Are On the Rise for Health...
    by: Denise Merna Dadika
    and Gregory (Greg) Keating
  • Health Care Audit and Reimbursement Trends and Challenges [PODCAST]
    by: Richard P. Church
  • AmeriTrust Warns Customers of December Data Breach
    by: Mogin Rubin
  • Full Enforcement of REAL ID Law Moved to 2023
    by: Forrest G. Read IV
  • Patent Owner Tip #4 For Surviving An Instituted IPR: Take The Time To...
    by: Brad M. Scheller
    and Nana Liu
  • Tightening the Reins: SEC Approves Proposed Rule Change to Clearing...
    by: Peter D. Hutcheon
  • You Shall Not Pass – Bankruptcy Court in Intelsat Grants Debtors’...
    by: Kyle F. Arendsen
  • If You Can’t Build it, They Won’t Come: No Obviousness Based on...
    by: Christopher M. Bruno
  • Ten DEA Compliance Issues for 2021
    by: Dr. Nick Oberheiden
  • China Publishes Draft Security Standard on Facial Recognition
    by: Hunton Andrews Kurth’s Privacy and Cybersecurity
  • Bankruptcy Basics: Secured vs. Unsecured Claims
    by: Elizabeth R. Brusa
    and Alexandra Dugan
  • The United States Imposes a Double Whammy on a Government Contractor...
    by: Tycko & Zavareei Whistleblower Practice Group
  • GT The Performance Review Episode 11: All’s Fair in Employment &...
    by: Ryan Bykerk
    and Philip Person
  • Bradley’s Bankruptcy Basics: COVID-19 Bankruptcy Relief Extension Act...
    by: Elizabeth R. Brusa
    and Christian W. Hancock
  • School’s Out: Trademark Settlement Agreement Enforceable
    by: Darra Loganzo
  • Connecticut to Ease COVID-19 Restrictions Beginning May 1, 2021
    by: John G. Stretton
    and William C. Ruggiero
  • Businesses Must Prepare For Expansive AML Reporting of Beneficial...
    by: Scott A. Resnik
    and Michael M. Rosensaft
  • State Sales Tax on Sale of Non-Fungible Tokens (NFTs) – Questions and...
    by: Marvin A. Kirsner
  • Fourth Estate Registration Requirement Defeats Pro Se Copyright...
    by: David Mlaver
  • EPA Likely to Deny Pending and New LVE Submissions for PFAS
    by: Lynn L. Bergeson
    and Carla N. Hutton
  • Hydrogen Rising: From Concept to Market – H2 Advances in Germany [...
    by: Dr. Annette Mutschler-Siebert, M. Jur. (Oxon)
  • Old Dawg, Still the Same Tricks: Bankruptcy Asset Successor is Also...
    by: Ravi Vohra
  • Another Diversity Suit Tossed on Forum Selection Grounds
    by: Joseph S. Hartunian
  • Canada COVID-19 Update: Paid Vaccination Leave and Provincial Travel...
    by: Stephen Shore
    and Caroline M. DeBruin
  • Will California Authorize Remote On-line Notarization?
    by: Keith Paul Bishop
  • EPA Announces Approval of Supplemental Residual Surface Coating...
    by: Heather F. Collins
  • Hydrogen Rising: Hydrogen is Truly Rising Opportunities for the...
    by: Sandra E. Safro
    and David L. Wochner
  • China’s Supreme People’s Procuratorate Releases 2020 Data and Typical...
    by: Aaron Wininger
  • “Buy American” Update: Essential Medicines May Continue to Come From...
    by: David S. Gallacher
    and Keeley A. McCarty
  • Handling Grievances webinar follow-up questions, Part 2 (UK)
    by: David Whincup
  • Hydrogen Rising: Wading In: Water Resource Issues in the Development...
    by: Alyssa A. Moir
    and David L. Wochner
  • 9th Circuit Permits Enforcement of AB 5 Against Interstate Motor...
    by: Cary G Palmer

April 27, 2021


Subscribe to Latest Legal News and Analysis

  • Supreme Court Update: Jones v. Mississippi (No. 18-1259), AMG Capital...
    by: Tadhg A.J. Dooley
    and David Roth
  • California Enacts Law Requiring Certain Employers to Offer Open...
    by: Melissa Hughes
  • Washington State Plastics Bill Imposes Minimum Content Requirements...
    by: K. Russell LaMotte
    and Allyn L. Stern
  • Employers are Contesting OSHA’s COVID-19 Citations
    by: Courtney M. Malveaux
    and Melanie L. Paul
  • California's Right to Recall Law: What You Need to Know
    by: Ellen M. Bronchetti
    and Syed H. Mannan
  • Chancery Court Finds that Although Alleged Disclosure Deficiency...
    by: Michelle R. McCreery
    and Teresa A. Teng
  • Congress Holds Hearing on FTC Powers– Watch Here
    by: Eric J. Troutman
  • Activision Files Lawsuit Over the Rights to Use the Word Warzone in...
    by: Juthamas Judy Suwatanapongched
  • $1.28 Million Seized and Four Men Arrested in St. Thomas, U.S. Virgin...
    by: Raymond G. Lahoud
  • DOL’s New Outreach Initiative and Guidance on Application of the FLSA...
    by: Keith E. Kopplin
  • ESG Issues Become Leading Concern for SEC and CFTC: SEC Warns...
    by: Henry Bregstein
    and Wendy E. Cohen
  • SPAC Chat Ep. 4: Litigation Update: Preparing for the Next Wave of...
    by: Jeffrey P. Schultz
    and Sahir Surmeli
  • They are Willing to Serve, But What Do My Trustees Do?
    by: Terri S. Boxer
    and Megan L.W. Jerabek
  • Important Timing Considerations for COVID-19 Business Interruption...
    by: Matthew B. O'Hanlon
  • Good in Practice | Episode 13: Committed to Community: Non-Profit...
    by: Caroline J. Heller
  • Second Circuit Affirms Dismissal of Data Breach Class Action on...
    by: Ann Marie Mortimer
    and Shawn Patrick Regan
  • FCC Proposes 911 Outage Reporting Rules
    by: Wesley K. Wright
    and Jason P. Chun
  • And One More Thing: The NFA Adopts Rules Establishing CPO Notice...
    by: Stephen M. Humenik
    and Matthew J. Rogers
  • Schrems II, Reverse Schrems, and Schrems with a Half-Twist from the...
    by: Theodore F. Claypoole
  • Guest Post: Well-Know Mark Recognitions in China – Part IV
    by: Aaron Wininger
  • SEC Approves NYSE’s Proposed Permanent Changes to Shareholder...
    by: Alexandra Clark Layfield
    and Thomas D. Kimball
  • And The Survey Says: Companies Fared Well In Their 2020 Union...
    by: David J. Pryzbylski
  • Legal Environmental Insights Podcast: Episode 11 | What the Largest...
    by: Bernadette M. Rappold
    and Christopher Torres
  • NY DOL Releases Guidance on COVID-19 Vaccination Leave
    by: Gary Enis
    and Christopher M. Pardo
  • New Guidelines for temporary authorizations for health supplies that...
    by: Gustavo A. Alcocer
    and Alejandro Luna Fandiño
  • False Positives in Drug Testing [PODCAST]
    by: Michael Clarkson
  • Biden Administration Announces White House Task Force on Worker...
    by: Steven J. Porzio
    and Caralyn M. Olie
  • The Latest Legal Industry News: Attorney Promotions, Law Firm...
    by: Eilene Spear
    and Hanna Taylor
  • PFAS Action Act of 2021 Increases Pressure On Biden To Act
    by: John Gardella
  • NLRB General Counsel Reveals Intent to Expand Section 7 Protections
    by: Steven M. Swirsky
    and Kyle D. Winnick
  • EEO-1 Data Collection Portal Open: Batch File Upload Not Available...
    by: Laura A. Mitchell
  • Governor to Consider Significant New Health and Safety Obligations as...
    by: Eric Raphan
    and Lindsay Colvin Stone
  • Do District of Columbia Workplace Laws Apply to Employees in this...
    by: Jessica L. Westerman
  • District Court in Third Circuit Confirms That, When it Comes to Data...
    by: Aaron C. Garavaglia
  • COVID-19 Waivers Ending for Skilled Nursing Facilities
    by: Timothy Cahill
    and Sydney N. Pahren
  • “I Robot:” The SEC Evaluates the First Law of Robotics
    by: Peter D. Hutcheon
  • Illinois Enacts Law Limiting Use of Criminal Conviction Records When...
    by: Johner T. Wilson III
    and Jessica E. Chang
  • FTC Engages in First Enforcement Action under COVID-19 Consumer...
    by: Samantha P. Kingsbury
  • President Biden to Issue Executive Order Today Directing $15 Minimum...
    by: Laura A. Mitchell
  • House of Pay’n – House Passes Bill to Help Create Legal Framework for...
    by: Daniel L. McAvoy
    and Peter F. Waltz
  • Farm to Fork
    by: Food and Drug Law at Keller and Heckman
  • April 28, 2021: Foley Weekly Automotive Report
    by: John R. Trentacosta
    and Ann Marie Uetz
  • The United States Department of Justice Scores Another Victory...
    by: Tycko & Zavareei Whistleblower Practice Group
  • Newly Comprised NLRB Declines to Modify “Contract Bar” Rule (US)
    by: William J. Kishman
  • HHS to Repeal SUNSET Rule
    by: Food and Drug Law at Keller and Heckman
  • Florida Moves Forward a Revised Consumer Privacy Bill
    by: Joseph J. Lazzarotti
    and Jason C. Gavejian
  • Providers Enrolled in Colorado Medicaid May Need to Obtain and Use a...
    by: Jim Miles
    and Loreli Wright
  • List Of Foreign Margin Stocks - Been A Long Time Gone
    by: Keith Paul Bishop
  • Handling Grievances webinar follow-up questions, Part 1 (UK)
    by: David Whincup
  • Coming Soon: Revisions to Cal OSHA’s COVID-19 Emergency Temporary...
    by: Cressinda D. Schlag
    and Sierra Vierra
  • 2019 and 2020 EEO-1 Component 1 Filing Site Is Now Open
    by: James A. Patton
    and Kiosha H. Dickey
  • BREAKING NEWS: Second Circuit Rejects “Suggestion” of Circuit Split,...
    by: Kristin L. Bryan

Sheppard, Mullin, Richter & Hampton LLP full service Global 100 law firm handling corporate law

The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website Booking.com for waiting longer than 72 hours to report a data breach. According to the Dutch DPA press release, Booking.com learned of the breach on January 13, 2019 and reported it to the DPA on February 7, 2019. The DPA did not make it clear in that release whether Booking.com had, in fact, determined on January 13, 2019 that a security breach impacting personal information of Dutch citizens had occurred or whether January 13, 2019 was date that Booking.com was first alerted to suspicious activity.

The situation arose when hackers persuaded hotel staff to reveal their Booking.com account log-in details. The hackers then used these credentials to log into Booking.com, and stole information of more than 4,109 Booking.com customers, including names, addresses, phone numbers and details about their bookings. Also taken was a smaller number of credit card numbers (283) and along with security codes for a smaller percentage (97).  Booking.com notified impacted individuals on February 4, 2019, three days before it notified the Dutch DPA. The DPA decision was based only on late notification, not for causing or being at fault for the underlying breach.

Putting it into Practice:  This decision is a reminder that EU regulators expect to be notified within 72 hours of a company “becoming aware of a personal data breach.” This would in almost all circumstances occur before notification to individuals. Companies should take care to continuously scrutinize the facts being gathered and discovered during an investigation to be able to track the date on which they first discover facts that would confirm or suggest a personal data breach has occurred.  


Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.
National Law Review, Volume XI, Number 119


Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

James Fazio Intellectual Property Attorney Sheppard Mullin Law Firm

James Fazio is special counsel in the Intellectual Property Practice Group in the firm's San Diego (Del Mar) office.

Areas of Practice

James focuses on intellectual property and business litigation. He represents public and private companies in disputes such as those involving patent and trademark infringement, theft of trade secrets, fraud, breach of contract, unfair competition, false advertising and various business tort claims. James has more than 24 years of litigation experience and was selected by his peers among the top ten intellectual property...

Don't forget that geoFence blocks unwanted traffic and disables remote access from FSAs and I am certain your smart friends would agree.