Is Coca-Cola’s Recent Breach Notification GDPR Compliant?

Is Coca-Cola’s Recent Breach Notification GDPR Compliant?

The newly disclosed data breach by a former employee at the Coca Cola Company highlights an interesting angle on companies’ obligation to notify in connection with GDPR.


By Morten Boel Sigurdsson, CEO, Omada

Is Coca-Cola’s Recent Breach Notification GDPR Compliant?

The newly disclosed data breach by a former employee at the Coca Cola Company highlights an interesting angle on companies’ obligation to notify in connection with GDPR.

In September 2017, Coca Cola was informed by law enforcement officials that a former employee of a Coca Cola subsidiary was found in possession of an external hard drive containing personally identifiable information (PII) that appeared to have been misappropriated from Coca Cola. The former employee took the data with him when he left the company. This incident, as seen in many cases, highlights the importance of governing identities and their access to confidential information within companies.

What’s interesting in this case is that not until late May 2018 did Coca Cola inform employees by sending out a notification letter. This means that when Coca Cola was alerted to the incident, Coca Cola delayed making any notification to the almost 8,000 individuals whose personal information was breached. The stated reason for postponing the notification to the data subjects/employees who have potentially had their data suffered by this incident was that law enforcement officials asked Coca Cola to postpone the notification.

The case poses an interesting angle on companies’ obligation to notify.

It is clear that if the data involve EU citizens, the data authorities in the respective countries need to be informed within 72 hours, following the introduction of GDPR. But what about the requirement to notify data subjects that might suffer damage from their data being stolen and misused. Is it up to the individual company to deem whether or not the data breached in a given breach is so serious that employees need to be notified right away or?

The question is whether Coca Cola has been in breach with GDPR regulations for not alerting data subjects/employees much sooner.

What are companies’ obligation to notify? Is it justifiable cause for delay that a third party such as US law enforcement make a company wait almost three quarters of a year before notifying affected data subjects? Is it sufficient to use the argument that authorities are asking them to delay? Is this GDPR compliant?

The Coca Cola case is an interesting one, highlighting an interesting angle, most likely just like many other incidents we will see in the future, which will show how GDPR is going to be exercised in ‘real life’. As the enforcement of GDPR is currently being rolled out with huge potential impact for companies, it is important that principles are clearly understood by the Executive Managements of corporations of the world.

The insider threat remains the top source of security incidents

Alongside the need for clarity of obligation to notify, is the apparent need for continued focus on the significant insider threat which companies must pay heed to. According to PwC’s Global State of Information Security Survey 2018, insider threats remain the top source of security incidents. The report notes that while external threats are decreasing, insider attacks such as third parties (suppliers, consultants, and contractors) and employees have stayed about the same or increased. According to the Ponemon Institute’s 2018 Cost of Insider Threats report, insider attacks should be taken very seriously. The report notes that while the negligent insider is the root cause of most breaches, the bad actor who steals employees’ credentials is responsible for the costliest incidents. Incidents involving negligent employees or contractors cost companies an average of US$283,281, a cost which more than doubles (US$648,845) if the incident involves an imposter or thief stealing credentials, according to the report. In comparison, hackers cost the organizations an average of US$607,745 per incident, according to the report. Moreover, insider attacks take time. The report concludes that it takes companies over two months on average to contain an insider incident, and only 16% of incidents are contained in less than 30 days.

Additional links

Coca-Cola Suffers Breach at the Hands of Former Employee


Omada Founder and President (NA) Morten Boel Sigurdsson has more than 25 years of experience providing innovative IT related services and solutions for large global organizations. He has a background from SAP and A.P. Moller Maersk.




EU GDPR Articles

Eight General Misunderstandings about the EU GDPR

In our dialogue with various organizations, we experience a great deal of misunderstandings in terms of what actions to take and how to initiate them. Therefore, we have gathered the most common misunderstandings about the new regulation here:

Read more

Is your Data Covered by the EU General Data Protection Regulation?

The core of the EU GDPR is the concept of “personally identifiable data.” This should be interpreted very broadly as “data, which can identify a specific person.”                                                                                                                                                 

Read more

Eight Steps to Ensure that Your Data Protection Measures are in Place

Organizations that have not done so already, have to start thinking in very pragmatic terms about what impact the GDPR will have on employees, processes, and technologies, and which measures to take to diminish business risk and get compliant in time.

Read more

Blog: New EU Regulations put your Business at Risk

                                                             The  EU GDPR creates an asymmetric risk, in which the risk that the supplier is asked to cover, most often far exceeds the value of the commercial agreement.                                                                                                                                           

Read more
Keep updated about EU GDPR and IAM. Subscribe to Omada's newsletter and receive information about the latest EU GDPR articles, events, and product releases.

By using or further navigating this website, you agree to Omada's use of cookies. Click here to see our cookie policy.

Read Privacy Policy