[merijnv]

> Interesting precedent. The platform is responsible not just for their own security practices, but also their users' security practices.

Well, not really. Booking didn't get fined over security practices. They got fined over not notifying of a breach of their users data within 72 hours.

So you're not really "responsible for users' security practices", you're "responsible for notifying users/authorities in time when you notice leaks/breaches". Seems rather different to me.

[CodesInChaos]

This case is rather complex, because the customers have a contractual relationship both with booking.com and directly with the hotel. This makes it difficult to tell whose responsibility the breach notification is. I would have said that it's the responsibility of the individual hotels here.

[dx034]

Would Facebook have to inform me within 72 hours if someone got access to another account that can read private info of my account? I don't think that Facebook (or similar networks) disclose such breaches. At least I've never seen information on that.

[TheCoelacanth]

Notifying users about a breach is a security practice, so they are being fined specifically because of their own security practices.