This piece on Law 360 covers off five key learnings from the UK Ticketmaster fraud fine.
The piece highlights how the U.K. Information Commissioner's Office's £1.25 million fine against Ticketmaster over cybersecurity failings that exposed customer payment card data offers several technical and organisational compliance lessons for companies subject to GDPR.
Luke Dembosky, Robert Maddox and Christopher Garrett cover off some very important elements which should be considered if you’re interested in GDPR and associated fines. Their key learnings in this piece focus on:
1. The Need for Vendor Cybersecurity Oversight
2. The Need for Awareness of Emerging Attack Vectors
3. The Impact of Industry Standards on GDPR Compliance
4. The Need to Perform Risk Assessments and Document Key Decisions
5. The Need to Evaluate Alerts of Potential Breaches Promptly
As they say, the Ticketmaster penalty completes a hat trick of high-profile penalties imposed by the ICO, which also included fines against British Airways PLC and Marriott International Inc.
To read my previous post on the British Airways fine, take a look here: https://amonsocial.alvarezandmarsal.com/post/102gkr1/five-conclusions-from-the-uk-icos-british-airways-fine
The Ticketmaster penalty completes a hat trick of high-profile penalties imposed by the ICO, which also included fines against British Airways PLC and Marriott International Inc. Companies subject to the GDPR should consider all three actions in assessing their data protection compliance. It does not seem coincidental that the ICO moved to wrap up all three cases before the completion of Brexit — making the lessons impactful across the EU, and not only in the U.K.
