Hilton Was Fined $700K for a Data Breach. Under GDPR It Would Be $420M
Consider $2 per lost record versus $1,200 per lost record. That’s the difference between what Hilton will pay to New York State versus what it will pay to EU regulators once the GDPR takes effect in May.
Companies have long shrugged off light fines from regulators and authorities after losing control of customer or employee data - it's just the cost of doing business in the digital age. But the General Data Protection Regulation (GDPR) is poised to slap some zeros onto the per-record cost of data breaches. Just consider the case of Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. a.k.a. “Hilton.”)
On Tuesday, the New York Attorney General Eric T. Schneiderman slapped a $700,000 fine on the hotel giant for two, 2015 incidents in which the company was hacked, spilling credit card and other information for 350,000 customers.
Schneiderman also punished Hilton for its lackluster response to the incident. The company first learned in February 2015 that its customer data had been exposed through a UK based system belonging to the company, which was observed by a contractor communicating with “a suspicious computer outside Hilton’s computer network.” A forensic investigation revealed credit-card targeting malware that potentially exposed cardholder data between November 18 and December 5, 2014. Still, the company did not inform customers and those affected of that finding.
On July 10, 2015 Hilton learned of a second breach, also involving data stealing malware, that had operated from April 21, 2015 through July 27, 2015. In that incident there was evidence of 363,952 credit card numbers aggregated for removal by the attackers, the New York Attorney General’s Office said. Still, it took Hilton until November 24, 2015 - over nine months after the first intrusion was discovered - to notify the public.
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said Attorney General Schneiderman in a statement. “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk.”
The $700,000 fine is a comfortable $2 per lost record - but it’s a mere rounding error for Hilton, which reported revenues of $11.2 billion in 2015, the year of the breach. The $700,000 fine, then, was just %.00006 of Hilton’s annual revenue in the year of the breach. You’ll have to excuse the yawns coming from the HIlton Board Room after the NY AG’s sternly worded letter.
But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU’s General Data Protection Rule (or GDPR) go into effect. Under that new law, data “controllers” like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law’s charge to protect that data.
What does that mean practically for a company like Hilton? Well, the company’s FY 2014 revenue (or “turnover”) was $10.5 billion. Four percent of that is a cool $420 million dollars - or $1,200 for every customer record lost. Needless to say, that’s a number that will get the attention of the company’s Board of Directors and shareholders.
Solving the Top 5 GDPR Challenges
Of course, Hilton is a US based company and the GDPR applies only in the EU. But the practical effect of the GDPR will be that US companies like Hilton, which have substantial operations in the EU, will be bound by it just as much as EU-based firms. That will be a welcome development in the U.S., where Congress has dithered for more than a decade but failed to pass comprehensive data protection legislation. In the meantime, 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have gone their own way: enacting varied legislation requiring private or governmental entities to notify individuals of security breaches involving personally identifiable information.
In the absence of strong controls domestically, the arrival of GDPR will be a cold shower for many firms which have grown accustomed to being able to lose data and bear little cost, beyond credit monitoring for victims -- most of whom do not take advantage of the offer, modest fines, and public relations consultants to repair their bruised corporate image.
A recent survey of 25 of the 50 largest U.S. banks by the firm RiskIQ for example found that 68 percent of the banks collect GDPR-regulated PII insecurely via web pages and customer facing applications. Insofar as insecure practices for collecting, storing and transmitting data lead to breaches affecting that data, we might presume that companies in the US may be writing some big checks to EU regulators in the months and years ahead.
From the standpoint of a consumer whose data rests within those companies’ systems, that isn’t a bad thing.